Horizons Spring/Summer 2019

Preparing for the Next Decade of Cyber Preparing an organization to address cyber over the next decade will require an investment of time, focus and resources appropriate to the risks facing the organization.

User Training Users are either weak points in the cyber armor protecting an environment or are the distributed early-warning firewall system for an organization. The difference is the vigilance of users – do they know to watch for threats and are they trained in how to spot the threats? Users can be the greatest weakness or greatest strength. Training should be regular, varied in method and medium and utilize a combination of delivery methods. Prepared organizations will provide users annual training and ad-hoc training as new threats are identified. Vigilant organizations will develop annual training programs with monthly to quarterly updates, regular email phishing testing and use gamification techniques to engage users in the cyber security defensive process. Technical Assessments Technical assessments need to be customized to your environment and address critical technology supporting the organization. The data flow analysis can be used to help identify some of the critical technology components – whether on premise or in the cloud. Remember, security responsibilities when using a cloud solution – security responsibilities cannot be fully outsourced. Prepared organizations will focus on critical technologies in the environment and how to protect sensitive information. Vigilant organizations will build on that by performing quarterly vulnerability scans,

Prepared organizations are going to create consistent, repeatable, processes to address cyber on an

ongoing basis. Vigilant organizations are going to take those processes to the next level, creating opportunities to expand business and operations to new areas as technology develops. The following are key areas your organization can address with budget and staffing levels appropriate to your needs. Risk Assessments Critical in any business, security risk assessments are a fundamental building block to a sustainable long-term security program. Risk assessments need to be performed annually and after any major business or technology change. The assessments do not have to be onerous or difficult, but they do need to be relevant to the organization. For instance, if you handle personally identifiable information, you need to understand your threats and compliance assessments and if you are a manufacturing company with proprietary data you need to protect that proprietary data. Every organization handles its own customers’, suppliers’, clients’ or employees’ confidential information – the key is to identify the information, where it is collected, processed, transmitted and stored in the environment and how the controls address risk. Prepared organizations will perform a risk assessment every few years, address the critical issues identified and seek outside support if a critical need is identified. Vigilant organizations will perform them at least annually, regularly seek third-party support for a fresh look and integrate the results into operational planning and improvement.

cyber security requires many different skills, if you are limited in the number of resources, you can focus on those who have a broad understanding of security

Spring/Summer 2019

9