make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

How to Build a Cybersecurity Program from the Ground Up

03/21/2018  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

Building an effective cybersecurity program is like building a three-legged stool. It requires a commitment to people, processes, and technology. All three must be working together to support the weight of your program. If one area is lacking, the other two can’t support the weight. If you want a strong cybersecurity program, it requires an intentional focus on all these areas.

While cybersecurity requires a long-term commitment, it is not extremely complex. There are basic, fundamental principles that any organization can utilize to create a secure environment for its data. 

How to Build a Cybersecurity Program from the Ground Up

Whether you’re looking to build a cybersecurity program from the ground up, or simply looking to strengthen your existing processes, here are six fundamental steps we recommend to help you focus on people, processes, and technology.

  1. Identify all types of data and sensitive data you store. Whether it’s customer payment information, patient health records, personal financial information, or intellectual property, every company has sensitive data it stores, processes, and transmits to conduct business. As a business, it’s your duty to protect it. To do so, you first must acknowledge the nature and type of sensitive data that you have.
  2. Define where that information is stored. Once you identify what sensitive data you have, you must determine where it is stored. In addition to obvious locations like databases, does that information live in spreadsheets or in text documents on file shares? You can’t protect sensitive information if you don’t know where it is. Completely protecting every device (computer, mobile device, etc.) within your organization may be an impossible task. But, what you can do is identify where sensitive data exists in your environment and build controls around the processes that store, process, or transmit it.
  3. Take record of all hardware and software devices in your network. As simple as this seems, this is an area where organizations are impacted the most, including last year’s infamous Equifax breach. When critical vulnerabilities are announced, you need to know the specific devices in your environment that must be updated or patched. Creating and maintaining an inventory of your hardware and software devices is key to establishing a solid cybersecurity program.
  4. Develop a plan to train employees and users on cybersecurity best practices. Cybersecurity is not solely an IT issue, it’s a business issue that requires a culture of security adoption. At the end of the day, protection of sensitive data comes down to the end users who are handling it. If they don’t know or understand their responsibilities for protecting sensitive data and interacting securely with a company computer system, they may unknowingly put you at risk. Your employees must be trained to recognize and report phishing attacks and baiting, and should be well-versed in password management to protect your systems and data.
  5. Implement multi-factor authentication for external network access. Many companies have employees who access company systems remotely. In most cases, access to sensitive systems and data is protected only by a password. Experience has shown that user-selected passwords are typically easily guessed, or can be obtained via a simple e-mail phishing attack. If multi-factor authentication is not required for all remote access, an attacker that obtains a password will have no trouble accessing remote services, and that typically leads to access to sensitive data. Nearly half the incidents our forensic and incident response team at LBMC Information Security has dealt with in the past six months could have been prevented if multi-factor authentication would have been implemented for systems that offer remote access, especially email systems.
  6. Find a trusted partner who can help you. Limited time and staffing are the most common challenges businesses face when it comes to effective cybersecurity. Having a third-party to perform penetration testing or risk assessments for your organization is key to getting an objective validation that your cybersecurity program is effective and that your sensitive data is as secure as possible.

Effective Cybersecurity is a Daily Commitment

Cybersecurity is not a once-a-year project; it’s a daily process. As the technology landscape continues to evolve, making sure your organization is protected against the latest threats is important. Here are a few additional resources to help you build a program and stay updated with the latest trends:

As always, if you want to learn more about how our team at LBMC Information Security can support your cybersecurity program, you can connect with our team at any time. 

Posted in: Security Consulting