Cybersecurity Plan: What to Consider Before Taking the Plunge

Prior to devising sophisticated security plans and threat models, it is important to be aware about the information that is most valuable to your company. As the old adage goes, ‘’a chain is only as strong as its weakest link’’, similarly, adopting baseline protection measures (such as a regularly updated antivirus and encrypted email) will not be enough if you are aiming at creating a formidable cybersecurity plan. Data breaches cause serious damages to trust, reputation and expenditures of businesses. The 2016 data breach at Yahoo saw over 3 billion accounts compromised which led to a $350 million knock in its acquisition price to Verizon. To prevent data breaches and maintain the trust of customers, it is essential that your business assets are protected at all costs.

Note: this guide should be used to inform further research and planning and not as a guide to be  implemented. It is crucial that you consult with a reliable cybersecurity expert before implementing any strategy. 

 

Key threats to consider

 

Knowledge is power and the first step to developing a cybersecurity plan is  to understand the different threats and their consequences. Sometimes, leaders fail to conceptualise the real effect of a security breach until it is too late. When it comes to cybersecurity breaches, there is a real need to cultivate the not ‘’if’’ but ‘’when’’ mentality. Some of the most common types of cybersecurity threats include:

 

Virus – This is a type of malicious software that replicates its own code when executed and ‘infects’ parts of your computer. Viruses typically perform some form of harmful action on your computer such as sending out spam emails, leeching computer power and corrupting data. 

 

Trojan horse – This is a type of malicious software (malware) that uses social engineering techniques to present itself as something that it’s not. This could come in the form of a fake PDF file or fake advertisement that creates a vulnerability when accessed. This technique combines with others such as ransomware as a means to go unnoticed. 

 

Worm – Computer worms replicate themselves with the intention of spreading throughout a network. Unlike viruses, they don’t usually corrupt or modify data but can cause major disruption by increasing network traffic. In combination with a payload (a code which executes an attack), it can be used to delete files or install backdoors in your systems. 

 

Keyloggers – A type of software or hardware that records the keys struck on a keyboard. The data of what was typed can be accessed by someone remotely which can reveal sensitive information such as passwords or confidential communication.

 

Ransomware – Ransomware is a payload that when executed begins to encrypt the files on your computer so that you can’t access it. The key to unlocking your files is only delivered once you pay a fee to a remote hacker, otherwise your files will be deleted and unrecoverable after a period of time.

 

Spyware – Spyware is a type of code that tracks and collects information about a user. This can take the form of keyloggers, tracking cookies, trojan horses and adware. This can be classified as a threat depending on who is tracking you and by what means, but many businesses also use some form of it in the form of cookies which track your behaviour even as you leave their site.

 

Man in the middle attack – This is a type of deception where your communications are being hijacked or rerouted to a bad actor instead of the intended recipient. It is deceptive in the sense that you believe that the other party is authentic but they are not. An example of this would be clicking on a website that appears to be what you intended but you are actually redirected to a phoney site where your details are stolen.

 

DDoS – Distributed denial of service attacks or DDoS are when an attacker uses multiple connections to flood a machine with requests which overloads the systems resources, causing it to crash. As the traffic is coming from many sources (hence the distributed name), it can be difficult to block against the attack by blocking a single source. 

 

Brute force attack – If you have weak passwords, some hackers are able to leverage their computing power to perform calculations that can crack encryption and discover passwords. This is achieved by using computer power to perform a rapid amount of combinatory password attempts until the right answer is achieved.

 

Core themes of cybersecurity

 

Some of the core themes of cybersecurity involve: confidentiality, integrity, availability. Understanding these themes will give you the strategic view that you need to be able to work with cybersecurity professionals.

 

Confidentiality

 

In all organisations, there is information and data that you want to keep private. You will most likely have different levels of confidentiality with the most sensitive data being only accessible to the executive team. This includes trade secrets, intellectual property, customer data, company data, strategy and internal communications. Cybersecurity ensures that this data remains confidential by stopping unauthorised users from accessing it. This is likely the largest risk for business as the damage can have a compounding effect. 

 

Integrity

 

The integrity of your data describes the extent to which your data remains intact and has not been compromised. A virus for instance can corrupt the files on your system which can make them unreadable. Another case is if your communications become hijacked in the case of a man in the middle attack (MITM) or with other social engineering techniques. In addition to having only authorised people accessing your data, you also need to ensure that malicious software doesn’t compromise it in any way. 

 

Availability

 

You need to keep your systems up and running for the functioning of your business. You also need to ensure that it runs smoothly so that your team can work productively. Availability is a core pillar of cybersecurity because without it you don’t have a business to even protect anymore. There are a variety of malicious attacks that focus on availability such as DDoS attacks which crash your servers and ransomware which encrypts your data and prevents you from working. 

 

Cybersecurity execution

 

In addition to themes, there are core pillars which represent cybersecurity execution across the board. It typically follows this process:

 

  • Deter – This is the process of taking actions to prevent attacks from happening in the first place. Here you will be thinking about the potential threats and vulnerabilities that your company is exposed to. 
  • IdentifyYour cybersecurity systems such as your anti-virus software will identify potential threats in real time and bring them to your attention. On top of that, it could be that someone in your security team also identifies suspicious behaviour and reports it.
  • ProtectAt the protection stage, your defences such as your firewall will block attempts from malicious actors. Your anti-virus software may also automatically delete a file that is known to be a virus. 
  • DetectAt this stage the threat has been detected and your team is made aware of what the threat actually is.
  • RespondYour cybersecurity team will evaluate any breaches in the system, where the vulnerability lies and any potential damages. Any additional threats will be examined and removed. 
  • RecoverIf there are any damages, systems may need to be rollbacked or restored from a backup device. The threat will be documented and your team will immediately fix the vulnerability so that it can’t happen again.

 

Cybersecurity awareness and training 

 

As the main challenge of cybersecurity is reducing human error, cybersecurity awareness and training for our team has to be an integral part of your plan. Each person in your organisation represents a vulnerability which means that the responsibility for cybersecurity has to be internalised by each employee. Some factors to consider:

 

  • Cybersecurity culture – the day to day actions and values of your employees will play a key part as to whether your systems can be breached. For instance, do your employees value speed over security? Do they recognise and are sufficiently trained in basic cybersecurity? If not, they will likely be doing things they aren’t even aware of such as taking off encryption when working remotely and may put sensitive documents at risk.

 

  • Legacy codeAt some point, ideally as soon as possible, your development team will have to go back over your code and ensure there aren’t any vulnerabilities. They may need to be trained to do this regularly but if you don’t make it a priority, it won’t happen. 

 

  • Hiring a Chief Security Officer (CSO)At some point at your discretion, you would need to hire a CSO. This could be at 30 employees or 60, but the sooner you can the better. This brings on a high level and focused cybersecurity perspective into your organisation which can protect you as you scale. 

 

  • TalentThere is a shortage of cybersecurity professionals, but that doesn’t mean you can’t seek expertise. If there is any type of consultant worth investing in then its cybersecurity consultants as their expertise can’t easily be replicated internally. Where you lack talent, you can also take advantage of the vast amount of cybersecurity tools and vendors on offer to help bolster your defence. 

 

Risk management process 

 

Cybersecurity is about mitigating risks. Think of it in a similar manner to where you would conduct a risk assessment when making a purchasing or investment decision. The difference, however, is that the risk in cybersecurity is perpetual – it is an ongoing and constantly raging battle that demands constant vigilance. A survey conducted by continuum in 2019 reported that cyberattacks on small and medium sized businesses (SMBs) incurred a total business cost of $53,987, on average. The report paints a worrying picture and also means that apart from hiring the right cybersecurity professionals and training the staff, your cybersecurity plan has to be updated regularly. Some elements to consider:

 

Threat assessment You will need to determine what type of threats could impact your business. Who out there would potentially want to hack you? What is the scale of that threat and their potential? Think about the nature of your business. Do you have access to a large dataset of sensitive customer data? Do you have highly confidential information from government contracts? 

 

Vulnerabilities – Next, you will need to think about systems and where they could be vulnerable. For instance, consider all the hardware and software vendors you are working with as they could have vulnerabilities that you aren’t aware of. Your immediate computing environment such as using cloud storage as opposed to local can pose a risk. Other factors include poor cybersecurity training and legacy code.  

 

Risk impact – Once you have an idea of your threats and vulnerabilities, you will need to identify what kind of an impact the breach will have. What will the costs be in terms of tangible and intangible damage?

 

Implementing controls

 

Once you have an idea of your current risk levels, you will need to think about implementing controls that will mitigate and give you the residual risk – the amount of cyber risk that you think is tolerable for your particular business. These controls can include:

 

Authentication – Setting up stronger authentication systems such as two factor or even three factor systems could prevent confidential information and areas being accessed. Mobile verification in the form of Google Authenticator is a good start, but you could also consider biometric means such as eye scanning and fingerprints for your highest level areas. 

 

Firewall – Your firewall monitors and regulates incoming and outgoing traffic in your computer network. This can prevent unauthorised access coming from outside of the network and acts essentially as a barrier to the wider web. 

 

Anti-virus – This is a type of software that prevents, detects and removes malicious software that is attempting to damage your computer or system. 

 

Cybersecurity training – Raising awareness and incentivising a personal and professional cybersecurity culture (for example, through gamification techniques) is one of the strongest measures you can implement. Most other controls rely on how diligently your people follow through on these guidelines. 

 

Security audits – Maintaining and regularly analysing your software and hardware assets needs to be a constant priority. There may be zero day vulnerabilities (flaws in the hardware or software unknown to the manufacturer) that you may not discover in your first audit but that may become more apparent overtime. Reviewing security and network logs on a regular basis can also help identify suspicious behaviour.

 

Systems backup – In the case that your systems and data become compromised, having a means to restore everything can offset most of the damage caused. Find a backup interval that is appropriate and increase the intervals when working on key projects.

 

Going forward

 

In an age where a cybersecurity breach is occurring every 39 seconds and 66% of SMB companies could go out of business either completely or shut down for a day if their data is compromised, cybersecurity threats are not going away any time soon. As long as new softwares are being developed, there will always be vulnerabilities that can be exploited. The omnipresent reach of the internet means that anyone with sufficient know-how and access to the internet can potentially extort large businesses. The threat is even greater for small businesses that lack adequate protection. However, by making cybersecurity a priority and dedicating a significant amount of your expenditures towards it, you can be sure to protect your company and stay ahead of malicious cyberattacks. 

About the author

Stefan Soellner

Stefan Soellner is an expert in scaling for companies, experienced consultant for business model and product innovation, and coach in the field of innovation management.

Related articles

More written by Stefan

scaling your business the right way

The Four Types of Scaling Your Business

The dynamics of your industry dictate whether you should opt for a slow and steady scale strategy or go after a fast-and-furious one.
Continue Reading

The Benefits of Data, Privacy and Security

Information is at the core of the debate around privacy and security. With digital, information is composed of data which represents the facts, figures and raw bits which when processed and analyzed become information. In this sense, privacy and security of data becomes the most important consideration and something that has to be taken into...
Continue Reading

Why you Should Care About Privacy and Security

The debate about privacy and security has become one of the most important considerations of our time. The rise in digital, the explosion of information and greater access in recent years means that this is a topic that affects everyone.
Continue Reading