IT Security Risks: So, What’s the Plan?
By Cynthia Cavendish-Carey, Vice President, C4CS
Benjamin Franklin is quoted as saying “by failing to prepare, you prepare to fail.” Truer words were never spoken, including when it comes to IT security. In previous articles, we explored the important distinctions between IT Security as opposed to Cybersecurity and the multitude of threats companies face in this arena. Now, we turn to what to do about it. First things first… the prepared organization will have a plan.
There are various steps that must be undertaken to ensure that the company’s IT Security Response Plan is thorough and robust. Here are the basic steps to follow.
- Team Up: Identify those individuals who are directly and indirectly responsible for all aspects of IT security. Ensure accountability by selecting a senior executive who is charged with oversight. The IT Security Team should be comprised of cross-functional roles in order to guarantee that all IT assets are fully protected and that any required responses are covered from all relevant viewpoints. This team establishes the mission, goals, objectives and policies for all facets of IT Security, including risk thresholds and overseeing training, testing and ongoing refinement of the IT Security Plan.
- Inventory Assets and IT Security Risks: It is critical that a full assessment of IT assets, including information and intellectual property, must be conducted in order to know what protections should be put in place. Such a review should take into account any and all internal as well as external risks. It is only through knowing this information that a proper and thorough IT Security Plan can offer adequate protection, including appropriate management of data and identification of the controls that will need to be put in place. Hiring an expert outside party to help with uncovering vulnerabilities is often a prudent course of action if such a proficiency is not present within the organization.
- Identify Regulatory Risks and Compliance Strategies: Intimate knowledge of all regulatory obligations is vital to every business where outside oversight is mandatory, particularly with regard to Department of Defense (DoD) government contracts and even more so with the advent of new Cybersecurity Maturity Model Certification (CMMC) requirements for certain contracts. Accountability and oversight in this regard by the IT Security team leader is essential if businesses are to remain in good stead with regulators, rules, laws, acts, certifications, and contractual agreements.
- Craft the Plan: Once the up front legwork is completed, IT Security Plan writing may begin. Required elements of the Plan will vary according to the IT assets and security needs of the organization. But, in general, the Plan should at least define the following.
- Purpose, scope and definitions of threat types
- Roles, responsibilities and accountability of team members – including contact information 24/7/365 as well as any expert resources outside of the organization
- Procedures and protocols
- Tools to assist response, including step-by-step guides for eradication, recovery and refinement, among other specific steps relevant to corresponding threat types
- Schedules for testing, training and IT Security Plan review and refinement
- Documentation requirements, including Chain of Custody, After-Action Report templates, and communication templates
- Train Everyone: With the team and the IT Security Plan in place, training all employees is critical in order to mitigate potential threats. Phishing is one of the most likely entry points for hackers and cyber criminals to gain access to IT assets. Therefore, establishing a protocol for educating personnel through onboarding and regularly scheduled training and testing will be tremendously beneficial to avoid such risks and prevent them from escalating into crises. But there are more threats, including device loss or theft, insider threats, social engineering, business email compromise and third party compromise, among many others.* Consistently and continually teaching employees about IT security will help to safeguard organizational assets.
- Review and Test the Plan and Protocols: A proper IT Security Plan is never “done.” It must also be put through its paces on a regular and ongoing basis to ensure efficacy. As we know, the IT world is constantly changing and new threats are emerging all the time. It is extremely important to review the Plan at least annually, refining it accordingly based on new and emerging threats. Conducting tests via discussion-based, hypothetical tabletop crises exercises as well as various types of drills within a safe learning environment will uncover vulnerabilities that allow further Plan optimization.
- Refine Everything: After each review and test of the IT Security Response Plan and protocols, key learnings should be incorporated into an updated, enhanced version of the Plan document, including tools, protocols, policies, and procedures. Additionally, any IT events or incidents encountered must be documented in an After-Action Report with the intention of making further improvements to the Plan.
These seven steps may sound simple, but they are indeed heavy lifting. With new threats continually arising, ensuring that the organization’s IT assets are fully protected has never been more important. Additionally, with new CMMC requirements now obligatory for certain DoD contracts, establishing a robust Plan is only the first step.
So, what’s your plan? Do you have one? Is it in good order? Has it been adequately tested and refined? Or, as Benjamin Franklin stated, is your organization “planning to fail?”
*More information about IT Security threat types can be found in the article IT Security Risks – Catalyst Connection published June 14, 2021.
In partnership with Catalyst Connection, Pittsburgh-based C4CS® (https://c4cs.com) provides customized crisis management and IT security consulting and training. Available group training and one-on-one crisis leadership coaching includes virtual and in-person tabletop and other crisis exercises built around realistic scenarios such as industrial accidents, cybersecurity incidents, employee and product crises among other hypothetical situations. To learn more about how C4CS can assist your organization, email: firstname.lastname@example.org