Keeping current with cyberthreats is an imposing logistics problem facing small- and medium-sized businesses (SMBs)—cybercriminals are constantly changing their tactics. If something stops working or fails to provide sufficient return for their effort, the bad guys move on. That may work well for the criminal element, but how are those in charge of cybersecurity at a SMB supposed to know when that happens, and, more importantly, whether the company’s cybersecurity platform is adequate?
The Wall Street Journal (WSJ) offers WSJ Pro Cybersecurity, a program designed for small businesses. In addition, the WSJ hosts a bi-annual forum that briefs company executives on existing cyber risks, ranging from protecting data and staying compliant, to defending their business and responding should a crisis emerge.
Olivia Berkman, writing for Financial Executives International, in her article Cybersecurity: Building a Plan for the Unknown reports what experts at the most recent forum suggest organizations do to combat an ever-changing cyberthreat landscape. Panelists participating in the forum included Steve Grobman (CTO at McAfee), Andy Ozment (CISO at Goldman Sachs), and Judith Pinto (managing director at Promontory Financial Group). The panel discussed the following cybersecurity best practices.
Strategically structure your security staff: The panelists work for large corporations, so their methodology may not make sense personnel-wise for SMBs; that said, the following approach can be worked into guidelines or directives regardless of company size:
- Organization is the first line of defense according to Ozment. “[W]e’re embedded in the processes; we’re part of the conversation from day one. And we’re doing operational IT.”
- Risk assessment comprises the second line of defense, and consists of an independent cybersecurity team that reports any incident directly to the CTO. Their independence affords them a unique perspective.
- Internal auditing is the third line of defense and the “fine-toothed comb” when it comes to assessing an organization’s capabilities to manage cybersecurity risks.
“Ozment realizes that not all organizations can afford this model,” writes Berkman. “He suggests that, if an organization has a CISO, to give him or her at least two lines of defense: one line that’s inside the IT construct and another independent line that’s outside of that construct.”
Empower employees to report: Berkman writes that Ozment offers two management views of users, that of either a brick or a censor. If bricks are missing, then the wall crumbles, and he feels one or more bricks will always be missing. It is better to consider users as censors—only one is needed to point out a problem.
Measure the right metrics: The panel suggests focusing on two metrics—the number of incidents and the number of vulnerable systems. With regards to the number of incidents, Ozment uses a three-tier reporting system, with each tier having a set number of incidents and when to bump the reporting up to the next tier. Examples of the reporting tiers might be internal management, internal-risk committee, and the company board.
When it comes to vulnerabilities, panel members suggest tracking the following:
- The number of vulnerabilities on internet-facing systems, such as web servers or email servers.
- The number of unpatched vulnerabilities at any given time.
- The percentage of hardware and software nearing end-of-life (i.e., when a manufacturer stops supporting it with any updates).
Plan for the loss of everything: “Nothing works” is seldom planned for according to the panel members; the thought is that something—email or landline—will always work. “Planning for the worst case scenario doesn’t happen enough,” mentions Pinto. “How would you still communicate? How do you coordinate with your external council or critical third parties that help you respond?”
Berkman continues saying, fortunately, responsible parties at companies are coupling cybersecurity-response planning with business continuity, adding, “Business continuity, Pinto points out, has always contemplated worst-case scenarios such as the loss of a building or the loss of technology, and should be brought into cybersecurity planning and response planning.”
SEE: Disaster recovery and business continuity plan (Tech Pro Research)
Not quite there yet
Berkman brings up a good point: There is no real way to effectively measure the success of a company’s cybersecurity stance—products do exist, but they are work-intensive, require experts, and expensive. That makes them a hard sell to upper management.
There is a “however” though. “Some companies have embraced them (products that measure success) and, like any tool, if you embrace it, you really invest in it and use it consistently you can get a lot of value out of it,” concludes Ozment.