2. Establish a Culture of Security — Starting at the Top

Cybersecurity efforts vary from organization to organization. However, security awareness should be embedded in every layer of operations at all organizations. If your InfoSec personnel are not on your management team, they should be visible to your board or executive leadership. They should present regular updates to these groups. This will ensure that your organization’s decision-makers have a keen understanding of the cyber threats you face, and the actions required to mitigate them. Without this, InfoSec teams often cannot successfully advocate for the support needed to achieve cybersecurity objectives.

3. Increase Employee Awareness

Cybersecurity training has been a pivotal control for years. It remains one of the most important steps an organization can take to help prevent cyberattacks. Training and awareness programs help end users understand the “why” behind your cybersecurity efforts. This is imperative for successful control implementations. If employees don’t understand how changes in their processes support your organization’s security goals, they may deviate from best practices for the sake of operational efficiency. This can inadvertently jeopardize your security efforts.

4. Understand That Outsourcing Doesn’t Remove Your Risk or Responsibility

Your cyber risks don’t disappear when you outsource functions or move assets to the cloud. Instead, how you mitigate them should evolve.

For example, unauthorized access to a critical application is a risk whether the application is hosted in your office or at a vendor’s data center. When you host that system internally, your controls protect it. When you outsource, you rely on your vendor’s controls. However, you may still be responsible for training end users, administering access rights, and configuring data retention policies and authentication controls. Your vendor may have strong network security controls, but if your employee discloses a password by clicking on a phishing link and you didn’t enable multi-factor authentication, your data will be jeopardized because you didn’t mitigate the threat.

Vendor management is also vital. If your vendor has a cyberattack, it still is your problem. If the vendor is the victim of a ransomware attack and can’t restore from backups, you are the one without your data. Therefore, regularly vet the practices of your service providers. Be sure you are comfortable with the steps they are taking to secure your data.

5. Implement Controls That Evolve with Threats

Organizations must enhance their cybersecurity to address changing cyber risks.

Organizations must enhance their cybersecurity to address changing cyber risks. As you do this, remember that bad actors will continually evolve their attempts, too, and there will never be a single control that mitigates all threats.

Consider controls that can be layered and that support the prevention, detection, and response to unusual activities. By focusing on suspicious activity instead of a single known threat action, your tools can better evolve to mitigate threats that have not even been identified yet. Cybersecurity takes investment, so make the investment count for years to come.

Remember That You’re Not Alone

Cybersecurity is a concern for every organization in every industry. Create a network of support. Lean on other organizations, law enforcement, and governmental agencies for ideas, resources, and information sharing. By helping each other create a more secure environment, we can create a more secure cyber world for all of us.

###

Allison Ward is a Partner at CapinTech, a CapinCrouse company. Allison provides information security consulting services for nonprofits, educational institutions, and a variety of other organizations. She stays current on changing threats to design assessment procedures to aid clients in implementing appropriate controls to protect against evolving cybersecurity threats.

 Learn more about Outcomes magazine.