Cybersecurity is a culture, not an action – but for organisations starting in their efforts to implement a cybersecurity culture, there are some steps in getting started with cybersecurity. This article will outline the basics to get started with cybersecurity, for small to medium sized businesses, and for larger business that is behind and needs to get started.

Understand your threats

Whilst there is no specific order to getting started with cybersecurity, an early stage is to understand your threats. This will differ for all businesses, depending upon what sort of data they hold or services that they offer. For individuals, there are steps you can take to protect yourself, but a business needs to have a knowledge of what threats are out there. Some may include;

  • General broad threats – hackers just trying to find anything that is vulnerable, and they don’t care who you are or what your business does. This can include;
    • Phishing and email malware / links
    • Viruses and trojans / worms
    • Denial of service of either your own systems, or of public systems that you use
  • Technology threats – where you are using a particular technology that is targeted
  • Data handling errors, misconfiguration, and mistakes in information disclosure
  • Insider threats, disgruntled (/ex)employees
  • Ransomware – targeted to disable your business or steal data
  • Espionage and spying – to steal data, intellectual property, customer lists
  • Supply chain attacks – your suppliers or providers being targeted to cause impact to your business

Once you have an awareness and understanding of your threats, then you need to progress to the next stage.

READ ARTICLE:   Digital Transformation is about process and people, not technology

Understand your data and systems

Knowing where the threats lie, you then need to understand where your data is and what systems you use. This can be harder with Cloud services, SaaS, and with Shadow IT, but you need to have a full inventory of;

  • What data you are storing – with knowledge of personal information, financial data and proprietary or business critical data
  • Where your data is located – including copies
  • How your secured and protected
  • and what systems or people have access to it.

By understanding what you have and where it is, you can better secure it.

When it comes to your systems, you need to understand the risks and threats;

  • What software and hardware are you using
  • What Stealth IT or other systems exist, which staff have gone out and arranged by themselves
  • What versions of software are you using, plus any other components or updates
  • Which cloud services are you using – don’t forget the ones that staff have got by themselves

Once you have an inventory of your official and unofficial systems, you can better secure them, and be aware of how to react when it is announced that there is a vulnerability or threat for a particular version of a product or service.

Understand your links and connections

Your suppliers and stakeholders can be vulnerable vectors for getting started with cybersecurity – you have to verify that if they get compromised, it won’t spread to your systems. Furthermore, you need to feel confident that the suppliers or partners who are connected to your systems (or have logins) are not performing malicious acts.

Furthermore, your own organisation may be well protected, but if one of your suppliers or partners is not so well protected, they could be taken off-line for an extended time, impacting on your ability to do business. This is another reason to ensure that your suppliers and partners are audited and challenged to prove that they have addressed their requirements for cybersecurity.

READ ARTICLE:   Forecasting the demise of IaaS

Understand how you will react

In a similar way to developing a BIA or BCP (Business Continuity Plan), you need to know what you will do in the scenario of an attack, and which systems or data is the most important to protect, recover, and return to service. Part of this is to plan how you, as a business, will respond to systems being unavailable, data being unavailable, and business being impacted. You will need to plan for who will be contacted in the decision process, and who will have the authority to “pull the plug” on systems to prevent the issue increasing (data theft or deletion) or spreading (virus), knowing the impact that this will have on business operations – both if action is taken and if it is not taken.

According to the Australian NDB Scheme, there is a requirement to record information for further analysis, to announce the breach or loss, or suffer fines and penalties. This should be built into your response planning, and is good practice.

Prevention is better than response

A good response plan is important, but it is better to be in a position where you are protected from the most obvious attacks. Common-sense items like anti-virus and anti-malware on all endpoints – regularly updated, and operating system and application updates – should be something that everyone should do. Properly configured firewalls, adequate passwords and a cybersecurity culture should be your starting point.

The next step is to follow some standards such as the Essential 8, and if you have credit card information you must follow PCI-DSS (although their 12 requirements are good advice for anyone with sensitive data), and if you have personal information about people, [in Australia] you must also follow the APPs from OAIC, where the 13 Privacy Principles are good advice for any company to follow if they store personal data.

READ ARTICLE:   Educate Boards in Cybersecurity

Within your own jurisdiction or country, there will be other standards and frameworks that you should follow, but these above steps should help you in getting started with cybersecurity for your business.

Share this knowledge