The cybersecurity threat landscape has changed dramatically in the last few years. No longer primarily a big-business concern, cybersecurity has become a key focus of businesses small and large. Attacks on SMBs are on the rise, perhaps because they represent a plentiful and often easy target. And the cost of damage and disruption to business just keeps going up.
Cybersecurity is not a problem you can simply throw a bunch of money and tools at to fix.
No matter how much great software or fancy systems you implement, the people will always be a big part of the equation. The root cause of over half the data breaches reported is a result of negligent employees or contractors.
That means that nearly half of all attacks are being executed through phishing or social engineering. The only tool you can apply to this problem is education. Efforts should be focused on security awareness and training workers to be more cautious to the point of almost being paranoid. Better to be safe than sorry in this case.
Training workers to be more careful as they work with emails, documents and websites is part of it, but there is much more to making sure the business is addressing the entire cybersecurity issue. NIST (National Institute of Standards and Technology) offers a wide variety of information and guides that businesses can use to learn more about and implement cybersecurity practices. Among these resources is the Cybersecurity Framework.
According to NIST, “the Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.” It is a highly useful tool in helping the business align and prioritize activities with business requirements, risk tolerances and resources. The standard framework includes elements that are consistent and common across sectors and critical infrastructure, so it can be oriented to any business.
Even if the business is not prepared to delve into the details of a comprehensive cybersecurity policy and guideline, a basic outline and approach cannot be avoided without asking for disaster.
Putting this squarely into the Risk Management category, there is an ongoing process of identifying, assessing, and responding to risk situations or conditions. To manage the risk, businesses need to consider the likelihood that an event will occur and what the potential impact is as a result.
Knowing the acceptable level of risk for reaching the business objective is the risk tolerance. If a business understands its risk tolerance, the company can prioritize cybersecurity activities and make informed decisions about cybersecurity expenditures.
There are five key functions to consider as it relates to cybersecurity risk: Identification, Protection, Detection, Response and Recovery. How the business addresses each of these in the context of the systems and activities is essentially the business’s cybersecurity posture, a high-level and somewhat strategic view of the organization’s management of cybersecurity risk.
The key to building a solid foundation for business cybersecurity practice is to establish a platform where all the business applications and data can be identified and access secured.
User desktops, productivity applications, operational software and business data can be hosted on private cloud servers, allowing the business to fully-manage data and application access. The server-based model reduces or eliminates the need to sync data to devices, and remote desktops keep user environments secure, patched and up-to-date.
Our consultants can’t write your cybersecurity policies or determine your risk tolerance, but we can help implement a solution that improves fault tolerance, resilience, and recovery.