Synopsis

Let’s be honest, unless you are hired to be a Security Officer for a company, creating a cyber security plan is not your main priority.  Well, in this day in age, I would rethink your strategy and embrace cyber security as a common practice for any business, small or large.

I will talk about strategies that I have read and implemented into my job as an IT Director that will help you feel less threatened.  Creating one of the most important plans should not be one of those tasks that go on the “procrastinate” bucket list.  You do not want to be explaining to your boss why some hacker in some overseas company is asking for 100 bitcoin for “your” data back.

Understand your data.

To begin, let’s take a look at what exactly is on your network that is valuable.  As any IT administrator should know, knowing what, where, when, why and how about your data is top priority and applying that to your security plan will help you.  If you don’t know what to protect then your plan will have holes that may not be found until disaster hits.

For instance, knowing that all employees have shared network drives where documents and spreadsheets are stored is great, but what about that software package that the sales department uses to store personal information about clients in its database.  Do you know where that database is?  Do you know how many times it backs up said database?  Once you know where all your data resides you will know what to backup.

Backup, backup,and oh yeah, don’t forget to backup!

Backups, to me, are the key to availability of your data.  When you get hit with ransomware, and trust me it’s not a matter of if, but when, you get hit, you will thank the “IT” gods that you have that data stored and protected onsite and offsite.  To be able to replace encrypted files that have been hit with some form of ransomware will not only make you sleep better at night but will make you feel like a savior to upper management.

“Password” is not a good password

A password policy is also a must when implementing your plan.  Having a policy tells employees that this is law and they must follow the law.  All passwords should be, at the minimum, 12 characters long and must have 2 of the 3 character sets in it. A capital letter, a symbol and a number.  Now, having more than 112 characters is up to you and management and longer passwords will take a hacker months or even years to crack.

Phishing and how I caught the big one

Security is not just focused on the tech side, you will have the human side as well and to me this is the biggest thing to really focus on.  Humans are probably the weakest link in any security plan and phishing really takes advantage of this.

Phishing is an art form and it’s getting better every day.  Train your staff to know when they receive an email that they should really take a closer look at that link the boss apparently sent them.  Make it a necessity to have all staff go through training and not just once but maybe annually or even quarterly.  People forget training and you need them to be aware that this is important to know.

You have been hit, what next?

Even though you have gone through precautions to prevent this realize no cyber security plan is 100% effective.  Things will happen that are beyond your control but its best to have something in place than nothing at all.

First thing is stay calm, make sure in your plan you have documented steps needed to walk you through your attack.  Do you have contacts you need to call?  Management?  Local authorities?  What if the attack is still going on, do you block them or do you see what they are doing and how they got in.  These are things that need to be considered and noted in your security response plan.

NIST has a great response plan already written up that you can modify and use for you own.  This plan breaks down the steps in more detail on what needs to be done.  Check out the chapter that talks about incident handling.

Conclusion

Having a cyber security plan is something that needs to be implemented into any business that has sensitive data.  If you wake up one morning and find all your data is lost, stolen or manipulated in anyway than sit down with management and hash out a plan.  Once a plan is in place you have to make sure you review this plan quarterly or annually.  Technology is ever changing and if you are not updating then you are failing.

Check out these statistics.

98% of tested web apps are vulnerable to attack
90% of large organisations reported suffering a security breach
75% of directors are not involved in the review of cyber security risks
93% of DPA breaches are caused by human error
Online banking fraud increases 48% year-on-year
144% increase in successful cyber attacks on businesses

So when that next ransomware hits you, don’t panic, be prepared.

References

6 truly shocking cyber security statistics
How to create a cybersecurity strategy
NIST computer security handling guide
What is phishing?