The thought that you can completely prevent risk from a cyber-attack is a not a realistic expectation. According to the Oxford Dictionary prevention is “the act of stopping something from happening or arising” In the ever-evolving frontlines of cyber security, prevention is an illusion. The reality is that you need to manage your risk. Breaches and cyber-attacks happen every day to even the best protected organizations. Instead of prevention we need to focus on managing to an acceptable level of risk. This is an ever changing and evolving world we live and work in and it is impossible to eliminate all risk. Hackers or “threat actors” are out looking for the low hanging fruit. That means that they are trying to find holes in systems and software that have well known vulnerabilities. This could be a piece of machinery that you have connected to Wi-Fi at your business. These are easy paydays for them, and easy targets maximize their payday and minimize their risk and time spent. As an organization you need to have those tough conversations internally and figure out what an acceptable and manageable amount of risk you can live with. I can’t stress this enough you need the ownership or upper management to buy in. Many companies that have cyber insurance require you to have a risk management policy in place to ensure your doing your part before you can be insured under their policy. There are several ways to look at the most up to date threats. Website, emails, podcasts, alerts, and blogs are put out daily to ensure that your cyber team or consultants can stay up to date on the latest threats that can affect your companies’ assets. NIST or the National Institute of Standards and Technology has a published Cyber Security Framework. This is a set of guidelines, documents, standards, and best practices that are broken into 3 parts: The Framework Core, The Framework Implementation Tiers, and Framework Profiles. Its purpose is to reduce a company’s exposures and weaknesses. Here is a list of 15 things we believe that can help your company better manage risk.
Know and monitor your Assets and Network
- Encrypt your data and emails
- Run regular backups
- Systems and software need to be updated regularly
- Use strong passwords and password vaults
- Reduce your attack surface
- Physical asset security
- Monitor ongoing cyber threat intelligence
- Create a risk plan
- Create risk responses
- Ownership and Upper management support
- Employee training
- Strong vendor relationships
- Develop and enforce security policies and standards
- Compliance for applicable regulations