Given the pressing need for organizations to detect and stop cybersecurity attacks before they demolish a company, here are four ways Small and Medium-sized Businesses (SMBs) can keep current and fight cybersecurity attacks.
The four ways to improve cybersecurity best practices
1. Defining your organizational structure for dealing with cybersecurity
2. Identifying threats and opportunities to improve cybersecurity
3. Daily cybersecurity education
4. Mobilize your organization to fight cybersecurity
The Best Practice of Defining your organizational structure for dealing with cybersecurity
When it comes to cybersecurity, you’ll need backup, particularly for SMBs who tend to run on smaller staffs.
To keep current, invest in at one resource whose primary responsibility is cybersecurity. If you can’t afford full-time cybersecurity help, cultivate cybersecurity consultants who can be on hand for analysis, testing, recommendations for best practices, deployment, and rapid response. You don’t want to look for resources after a cyber attack happens. Make sure you have your cybersecurity team in place before you need them.
The Best Practice of Find skills and help for cybersecurity issues from these sources:
Certification programs to increase cybersecurity skills Certifications from groups such as Comp TIAA Security+, CISSP: Certified Information Systems Security Professional, and CISM: Certified Information Security Manager will better prepare your resources to deal with outside threats
Technology vendor training Check with your security vendors to see what type of additional training they can provide to understand how best to leverage their technology for cybersecurity
Business partners Partner with an outside company that specializes in cybersecurity, to provide analysis, testing, configuration, response, and remediation for cybersecurity threats. A partnership can be a more attractive option for SMBs, who don’t always have the resources to set up a department (or even just one employee) to handle cybersecurity.
Make sure your organization understands who has primary responsibility for planning cybersecurity strategy and answering any questions to issues in cybersecurity. The critical question to answer is: what is our organizational structure for dealing with cybersecurity threats, and who has the primary responsibility for mobilizing our applications and infrastructure against those threats?
Cybersecurity is everyone’s problem, but you also need a core group in place that can coordinate, direct, and educate others about cybersecurity initiatives.
The Best Practice of Identifying threats and opportunities to improve cybersecurity
Your most significant responsibility is to harden your network against cyber attacks, to understand where your infrastructure is vulnerable and what needs to be improved. The two most common ways to analyze your infrastructure for cybersecurity vulnerabilities are:
Vulnerability assessments Use automated network scanning tools, a vulnerability assessment identifies and reports on vulnerabilities in your devices, computers, applications, and network infrastructure. It defines the security weaknesses in your environment and gives you information to remediate those weaknesses. Vulnerability assessments should not be considered one-time events. Staff should perform assessments regularly, especially after network changes, such as new applications coming on-line, additional services added to your network, or when new ports are opened up in your network infrastructure.
Penetration testing (pen testing) You may already be required to use penetration testing to satisfy a customer or regulatory audits, particularly for Payment Card Industry Data Security Standard (PCI DSS) auditing. As opposed to a vulnerability assessment which scans your organization for vulnerabilities, pen testing attempts to discover and exploit security weaknesses to determine whether unauthorized access to your system is possible. Penetration testing not only tests infrastructure security, but it can also examine security policies, adherence to compliance standards, employee security awareness, and how well an organization identifies and responds to security events.
These activities can be headed up by the cybersecurity team identified in step one.
Daily cybersecurity education
Keeping current on cybersecurity isn’t a one-time event. It requires constant monitoring and updating to keep your skills current and your network safe. You can also keep your staff’s cybersecurity knowledge up-to-date through:
- Reading blogs and online news on current cybersecurity topics
- Subscribing to cybersecurity newsletters and alerts
- Finding and following cybersecurity experts on social media
- Checking vulnerability and risk advisory feeds
- Listening to cybersecurity podcasts
The intent isn’t to weigh down your staff with daily cybersecurity homework. Instead, you want them (and yourself) to include cybersecurity reading and research along with whatever other reading and research they’re already doing for their jobs. Developers should be researching programming for cybersecurity, alongside programming for database access speed. Network engineers should be studying and adding cybersecurity protection elements to their infrastructure education. Whatever daily professional research your IT staff are already doing, that research should be augmented with daily cybersecurity reading to keep up with the latest techniques and threats.
Managers and executives can encourage daily education by adopting the practice themselves and encouraging their entire staff to do the same. New cybersecurity methods, news, and techniques can be included in daily IT huddles, made part of lunch-and-learn training, and included as improvement objectives in annual goals. IT staff should be required to find and understand the current state of cybersecurity every day.
Daily cybersecurity news is easy to find. Just Google “cybersecurity news’ and follow the results. Once your staff gets used to considering cybersecurity as part of their daily jobs, they’ll incorporate it into your apps and infrastructure, to make your organization safer.
The Best Practice of Mobilize your organization for cybersecurity
Aside from the previous steps, you should also mobilize your entire organization and business partners to raise cybersecurity awareness and what to do if they see a cybersecurity threat. Raising cybersecurity awareness gives ordinary users the information they need to understand and report cyber threats that occur through email, phishing, ransomware, and other threats.
You’ll want to mobilize your content owners, internal users, vendors, and customers as a “neighborhood watch” for cyber threats. They should be armed with the knowledge of how to spot cyber threats and what to do when they see a cyber attack. The more they understand threats, and how to avoid cyber attacks, the fewer threats can slip through your network.
There are many ways to enlist your entire organization to fight cybersecurity, including:
- Recruiting HR to include cybersecurity threat detection and response in your employee manual and as part of new user orientation and on-going employee training.
- Publishing and distributing cybersecurity awareness material through emails, Web site posts, company forums, and other company-wide publications.
- Working with content owners who are responsible for applications. In a DevOps environment, applications are often owned by a user department, rather than IT. Make sure that any non-IT staff responsible for developing and maintaining apps are also aware of how to detect and deal with cybersecurity threats. Strive to incorporate cybersecurity protection as part of your organization’s apps development process.
- Post cybersecurity awareness information through ads, articles, posts, Facebook and LinkedIn posting, and other communications for customers and vendors who transact business with your organization through apps and over the Internet.
