10 Steps to Go from Cyber Novice to Cyber Expert
Technology | Connections Editor | Oct 19 2017
You don’t need to make a huge ﬁnancial investment to strengthen your ﬁrm’s cyber readiness. This article, taken from the 2017 Connections print issue, features steps for keeping your business safe and sound based on insights from the Hiscox Cyber Readiness Report 2017. In this online version, find four bonus steps plus resources to get you started from ACT's Agency Cyber Guide 1.0.
1. Get the buy-in of the top bosses.
Your executive management team should be intimately involved in the policies, procedures and planning around cybersecurity. “The overall responsibility for cyber risk should sit at board level and not with the IT team, who need to ensure there is a consistent transfer of cybersecurity-related knowledge up to the senior management in order to inform the decision-making process,” said the Hiscox report authors. Presenting the value of cybersecurity to senior leaders and getting their buy-in are key steps toward securing your business.
2. Build your plan.
There’s power in process. Maintaining cybersecurity is a never-ending practice — you must constantly reinforce its importance through virtually every aspect of your business. And while that may seem exhausting, having a plan with clearly deﬁned processes allows you to take on this daunting, yet essential, business task. Ninety-two percent of cyber expert respondents to the 2017 Hiscox report said their cybersecurity strategies include a “budgeting process that is integrated into all security projects and activities.” Process excellence means collaboration between business and IT stakeholders and a focus on metrics and data. A big diﬀerence between cyber experts and cyber novices is that experts use metrics to track their security’s return on investment and business impact.
3. Develop an incident response plan.
No, this isn't a repeat of Step 2. An incident response plan is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs, while complying with federal and state regulations. This includes communication/notices to your state superintendent upon detection of a cybersecurity event and communication to customers, insurers and third-party service providers.
4. Train your employees to be cyber aware.
“Employee training should be one of the most important elements of a cybersecurity strategy,” said the Hiscox authors. “A modest investment in employee training can have a big impact on cyber readiness.” Making all employees cyber aware reduces the number of attacks, the authors noted, and it starts with the human resources department. HR teams evaluate cybersecurity capabilities, review cybersecurity competencies and can incorporate cybersecurity criteria into the annual reviews of those employees with cybersecurity responsibilities.
5. Put it in writing.
It’s one thing to create a strategy and cybersecurity process; it’s quite another to document it and socialize it to all employees and stakeholders (both internal and external). Creating guidelines, procedures and response plans that are easily accessible and familiar to everyone in the company will keep everyone informed and on the same page.
You can use this Cybersecurity Planning Guide from the Federal Communications Commission for help getting your plans drafted.
6. Trace your audit trail.
An audit trail (also called audit log) is an electronic trail that gives a step-by-step documented history of a transaction. It enables an examiner to trace the financial data from a general ledger to the source document (invoice, receipt, voucher, etc.). The presence of a reliable and easy to follow audit trail is an indicator of good internal controls instituted by an agency/brokerage, and it forms the basis of objectivity. For agencies/brokerages, using your agency management system (with all other interfacing systems) provides a solid foundation for an audit trail.
7. Conduct a vulnerability assessment.
This is a biannual process that defines, identifies and classifies the security holes (vulnerabilities) in a computer, network or communications infrastructure. Vulnerability assessments are not to be confused with penetration testing, which is the annual practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit. According to ACT, penetration testing should be done internally and externally.
This tutorial from Tutorials Point further defines the difference between the two and discusses whether you should incorporate them into your company's cybersecurity regimen.
8. Up your technology game.
The Hiscox report authors wrote that those hoping to boost their company’s cybersecurity strength should focus on two areas: internal and external message encryption, and the integration of strong authentication throughout the company.
ACT offers this guide on TLS email encryption.
9. Dispose of non-public information.
As with encryption, this regulation refers to all electronic information that is not publicly available, including PII, PHI and PCI. Improper document destruction is often a downfall of small business security. Regulations on this vary by state. Agents/brokers doing business in multiple states should adhere to the highest level of requirements. Keep in mind, there is a difference between complete disposal of information and simple deletion.
Click here for a listing of disposal laws by state.
10. Consider cyber insurance.
As high-proﬁle cyber attacks continue to make news and wreak havoc on organizations throughout the world, more companies are exploring the option of cyber insurance to mitigate the risk and provide some peace of mind. While the cyber insurance market is growing globally, it’s most robust in the United States — 55 percent of U.S. respondents to the Hiscox survey said they have cyber insurance, compared to 36 percent of U.K.-based respondents and 30 percent of those in Germany.
These steps are a great way to ensure long-term success. Next week, we will be sharing some cybersecurity best practices you can adopt right away. Be sure to check back soon for more updates related to Cybersecurity month.
Tags: Technology , Cybersecurity , Data