Strengthening Your Cybersecurity Plan
Laying the groundwork
Just how robust is your cybersecurity plan? Are you certain that you don’t have to worry about data loss, downtime, reputation damage, and lost revenue?
Have you had a risk assessment recently and are you sure that your workforce, your technology, and your physical environment are secure? An upfront risk assessment is the KEY input into your cyber security plan.
Chances are you already have a cybersecurity plan in place for your organization. It may be a plan that was written to meet regulatory requirements. Alternatively, it may be a plan written to ensure the continual operation of your organization and to protect the private data stored and processed. Regardless of the stated intent, every cybersecurity plan should include the following elements; these elements correspond to the NIST SP800-53 cybersecurity framework.
- The organization’s general attitude toward risk-averse, neutral, or accepting.
- A statement on the importance of cybersecurity from leadership to individual contributor.
- A statement of commitment to adhere to any applicable regulations such as HIPAA, PCI, 23 NYCRR 500, etc
- Specific incident response procedures outlining what each internal and external stakeholder will do in the event of a data breach or other adverse cybersecurity event.
- A statement of the importance and frequency of performing ongoing cybersecurity tasks such as risk assessments, vulnerability assessments, and penetration tests. Remember, as your environment changes (new technology, merger, acquisition, or re-org), your initial risk baseline will shift significantly.
- A statement on how your organization handles logical access control such as users logging into systems, firewall requirements, and network traffic filtering.
- A statement on physical security including visitor sign-in requirements, door locks or keypads, fire suppression, and security cameras.
- A statement on data protection including handling malware and malicious activity.
- A statement on how your organization manages hardware and software configurations and also manages changes to them.
- A statement of how information security monitoring is to be handled including how stakeholders are notified in the event of a red flag.
- A statement on how the organization will recover from a physical or cyber disaster to ensure the continuous operation of the organization, even if in a degraded state.
- A statement on data privacy practices and expectations for employees to ensure the privacy of sensitive or confidential data.
Sometimes these policy statements are broken out into different policies. Sometimes they’re included in a bigger, overarching Written Information Security Program (WISP). Whether broken out or lumped into an all-encompassing WISP, each of these areas requires thoughtful consideration and written statements for how the company will handle every area of concern.
Once your plan contains the right elements, it’s important to bake the plan into regular conversations with employees. The main problem with the policy is that it’s often written only to be set aside in a three-ring binder and never revisited. If you’re going to do this, you may as well not write the policy in the first place.
For policy to be effective, it needs to be regularly reviewed with staff and updated upon significant changes to the business or its technology. An easy way to ensure your cyber policy is being reviewed is to incorporate it in your annual or bi-annual employee review discussions. And please, do not simply hand the employee a stack of paper and trust them to read it on their own. Discuss it together and answer any questions the employee may have. Again, the policy is pointless unless it’s updated regularly and understood, and followed by all employees.
The groundwork for establishing a solid cybersecurity plan has been laid. However, good plans aren’t static. They change. They adapt.
Three current threat trends and what to do about them
Cybersecurity relies on a WISP (Written Information Security Plan). A WISP enables you to protect private data and fend off cyber-attacks – ensuring your company’s ability to operate with minimal interruption. Furthermore, businesses need to adjust their cybersecurity plan to protect against new threats.
Currently, there are three current cybersecurity threat trends and savvy business professionals know how to combat them. If you aren’t implementing the protections discussed, please give serious thought to doing so. Initiate a conversation with all security stakeholders in the enterprise and build the protections into your next budget cycle.
Threat 1: Most network traffic is encrypted and it’s going in and out of your network uninspected
As of November 24, 2018, 80% of web pages accessed by the Google Chrome browser on Microsoft Windows PCs are encrypted. For Mac users, this figure is 87%.  This means that well over two-thirds of the data coming into and leaving your network is encrypted, including potentially malicious traffic. If you aren’t decrypting, inspecting, then re-encrypting this traffic as it flows to and from your organization, your security posture is dubious at best.
Percentage of pages loaded over HTTPS in Chrome by platform 
You may be asking: “So what? Who cares that my network traffic is encrypted? After all, I thought encryption provided confidentiality, which is supposed to be a good thing.”
The issue is that malware authors are hiding their malicious code in HTTPS. When you visit an HTTPS-encrypted site in your web browser, you see the little green lock icon and think “I’m safe.” However, you could have a false sense of security as malware writers are buying digital certificates to encrypt traffic going to and from their websites that host malicious code.
According to cybersecurity firm Cyren, “the real extent to which malware is being hidden in HTTPS has been an open question—until now. Our security researchers have found that HTTPS is now being utilized in 37% of all malware. And recent growth in HTTPS use for malware has been dramatic, with malvertizing use of HTTPS jumping 30 percent in the first half of 2017.” 
Percentage of Malware that Enters Networks Undetected Due to Being Encrypted 
So, today’s vital suggestion is to make sure that SSL inspection on the firewall is enabled because you don’t want malware to hide within encrypted traffic streams. After all, being blind to over two-thirds of your web traffic is not good security!The problem is that malware is hiding under your nose in encrypted web sessions. The solution is to perform decryption of all web-based traffic on your firewall, inspect the traffic once it’s decrypted, then re-encrypt it and send it along. All modern firewalls have this capability and it’s typically called “SSL Inspection” in the settings. Unfortunately, most business professionals don’t have this setting turned on.
Threat 2: Online account takeover is at a record high
We all use the Internet. Whether for personal email, social media, corporate email, or data processing, the Internet is a huge part of our everyday lives. The Internet makes things easier and more accessible. It makes the world a smaller place and allows businesses to reach a large audience with minimal effort.
For all the good that the Internet brings, it also comes with significant security issues that should be addressed in your cybersecurity plan. Every year for the last decade, Verizon’s Data Breach Investigation Report has shown that social engineering is the most common method criminals use to take over online accounts. It starts with a phishing email that tricks you into giving up your username and password. From there, criminals can take over your email account and pose as you.
It is universally accepted that passwords alone are not sufficient to protect your online accounts. Whether through social engineering or simple brute force password cracking, criminals can easily obtain your password and thus gain access to your online accounts. To overcome this, companies need to step up their authentication game. This means enabling multi-factor authentication for all online accounts. Multi-factor authentication (MFA) simply means adding another authentication factor such as a hardware token, fingerprint, or smartphone-based authenticator to your primary authentication factor (your password).
According to KrebsOnSecurity, “Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017 when it began requiring all employees to use physical security keys in addition to passwords.”  In other words, MFA works.
The most secure way to combat online account takeover is to add a second authentication factor to each of your online accounts.
Threat 3: Sensitive data keeps getting leaked via email
Just as Internet use is a fact of life, email is also a critical workflow for all businesses. But we all make mistakes. We may inadvertently send private information via email to the wrong recipient. Additionally, we may send private information via email in clear text to a receiving mail server that doesn’t support encryption. When this happens, businesses are liable for any loss associated with the private data leak. They’re required to notify authorities as well as affected customers, leading to potential fines and reputation loss. However, these pitfalls can be avoided, though.
Myriad email encryption and data loss prevention (DLP) solutions are available. These solutions can either force encryption on all outbound emails, ensuring 100% confidentiality of all emails, or they can “look for” sensitive data and selectively encrypt emails that contain it. Gateway solutions include a device that sits on the edge of your network and performs email encryption and DLP. There are also cloud-based solutions, many of which are reasonable on a, per seat, monthly basis. You don’t think twice about ordering a $5 coffee from your favorite barista. So why not invest in protecting email, one of the most-used and most-hacked cyber workflows? It is to your distinct advantage to protect emails – one of the most used and most hacked cyber workflows.