General security

10 Steps Leaders Can Take to Improve Cybersecurity in their Organization

Daniel Brecht
February 20, 2018 by
Daniel Brecht

As revealed by an executive opinion survey in the World Economic Forum's (WEF) Global Risk Report, the top concern for business leaders moving into 2018 is the potential for a cyber attack that may result in system and service interruptions and infiltrations of critical infrastructure. Despite that, another survey by PwC, the 2018 Global State of Information Security Survey, shows that 44% of companies worldwide do not have an overall information security strategy. Also, 48% of the 9,500 executives in 75 industries surveyed across 120 countries have not implemented an employee security awareness training program, and 54% do not have an incident response process.

The growing risks, however, oblige leadership to make wiser funding and business decisions that affect cybersecurity, rethink strategies and invest in cyber-risk management to prepare for sudden and dramatic disruptions because of breaches. This brings us to the focus of this piece, what are the 10 vital steps that leaders can take to manage the organization's critical information systems against hackers, cyber-criminals, phishers, social engineers and malware that target them?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Steps leaders can take to improve cybersecurity in their organization

  1. Adopt a cybersecurity-conscious culture. The first, important step is to instill in the organization a security culture. To do that, a number of initiatives can be implemented to involve the entire staff (including management) in a collective effort towards the safeguard of the systems and data. For example, is an environment where everyone is aware of his or her own importance for the protection of the business; is and feels accountable; is encouraged to give contributions by sharing ideas and concerns which is the best ground for the proper receiving of security policies and awareness initiatives.
  2. Develop an effective security plan coordinated with decision-makers.

    A plan must be in place to clearly describe how the organization stands and is progressing towards the safeguard of systems and data. It is essential, however, to secure the buy-in of the company decision-makers; C-suite and senior leaders and board members need to be aware of the security plans and needs of the organization, and they need to approve all strategies. Executives need to have the possibility to have a say on which assets to consider the most critical to protect and how much risk the organization is willing to take when making information security decisions. This is particularly important to ensure the adequate and timely funding of any needs the business might have to secure its systems or respond to incidents.

  3. Apply user training and awareness.
    Investing in cyber awareness training, the most significant activator of cybersecurity readiness is one of the best possible moves. As many cyber threats exploit the human factor, it is fitting that a company invest not only in technical safeguards but also and especially in the workforce to improve its ability to adapt and thrive in an evolving threat landscape. Educating users on cyber risks while teaching best security practices helps reduce the likelihood of staff becoming easy targets via computer phishing, hacking or malware. A good awareness program is made of different phases and approaches as mentioned in The Components of Top Security Awareness Programs and is to be tailored to the organization, its requirement, and workforce. The key is that everyone is involved in training (management included) to convey the importance awareness has for the organization, and so that everyone feels a part of the company's cyber resilience approach. A good security awareness program not only gives info and tips on how to spot and avoid common pitfalls but also puts in perspective for employees all the restrictive measures enforced by the organization and gives importance to all the often-cumbersome policies and procedures that are released; it also requires devising and implementing activities such as a self-assessment and program evaluation for the purpose to identify cyber improvements as well as gaps and deficiencies to be addressed.
  4. Don't be afraid to outsource your cybersecurity.
    Companies that lack trained staff or don't have premise-based IT software and tools might consider outsourcing their cybersecurity functions to third-party experts that can work with the organization to neutralize any threats or attacks in a way that also ensures regulatory compliance. It is often possible that smaller companies might not see the need to hire personnel specifically for their cybersecurity needs or they might have a small office unable to provide all the functions necessary to secure systems and data 24/7. Thus, an outsourced security program can give quick access to specialized, fully trained professionals that can fill staff gaps and ensure the protective services needed by the company. Cyber Security-as-a-Service, a cloud Managed Security Service Provider (MSSP), or a Cloud Security Operations Center (SOC) can be the best solution for defending against network attacks around-the-clock and keep up with the constant threats in cyberspace without adding personnel costs.

    Some companies see outsourcing as a risky business and fear the amount of exposure they will need to allow to the third-party company, but contacting reputable companies with a proven track record, signing explicit agreements and allowing the least possible access to systems and data as necessary for an external contracted third party to perform their function can help mitigate any risks. The same precautions can be taken when employing knowledgeable outside experts to test the systems. As well, vulnerability or security assessments can often be provided by an outside professional, such as a penetration tester, that can give a company options that an on-site security team cannot provide; penetration testing from within the premises or from outside the network perimeters, performed with or without the knowledge of the company's own security team is capable of disclosing vulnerabilities that can help gain a deeper understanding of threat actors in order to provide the essential intelligence needed for decision-makers to take the most efficient steps towards improving cybersecurity with targeted investments.

  5. Implement a security assessment program to identify risks, threats, and vulnerabilities. This is a crucial step to assess the security posture of a company and measure objectively any progress due to the implementation of new programs, technical countermeasures, and training. Companies need to make a full assessment of current risks, threats, and vulnerabilities while addressing them through metrics against which to objectively gauge efforts. Using pre-defined scales (e.g., Low-Medium-High), a business can assess the consequences and impact of each activity or the likelihood of particular kind of cyber threat activity separately and devise how to mitigate the most significant problems first. This insight will then help determine how to handle specific circumstances using a methodology that is entirely appropriate for the company and to determine the best approaches in protecting a system against a specific threat or known weakness of an asset/resource that can be exploited by one or more attackers. An assessment, above all, helps organizations promote a risk-aware culture.
  6. Employ a purpose-made cybersecurity policy. This is another essential part of any company's security program. A good cybersecurity policy addresses several needs: it can raise awareness of the potential risks and give insight on possible vulnerabilities and how they can be corrected, so that employees can be better equipped to prevent them; it gives clear guidelines on the acceptable use of all digital assets and data in the company; it describes the goals of the procedures and embodies all the detailed actions that personnel are required to follow and that are crucial to an organization's success; it outlines where to look for help and where to report cyber-related issues; and it, of course, defines disciplinary consequences for out-of-policy actions. A well-thought-out IT policy, then, must strike the right balance between business requirements and security needs; this will require continuously refreshing the document

    to make sure it is in line with the demands of new technologies and addresses issues that arise in the ever-changing cyber threat landscape. If the organization, due to its size or scope, believes a cyber-policy may be unnecessary, it should at least consider providing a quick review of guidelines that might be readily available for staff to follow.

  7. Acquire cyber insurance for potential costly outcomes.
    Adding cyber insurance can really help safeguard a business, as it covers first-party losses and third-party claims. Such insurance will not help protect digital assets but might mitigate some of the economic effects of an incident and/or provide defense and liability coverage for any data breach cases that might result in litigation. Regulatory fines, lawsuits, damage to the reputation of the organization's brand, recovery of data as well as hardware repairs and software protection due to cyber-related security breaches or otherwise harmful events might be covered, so companies should carefully evaluate what are the most cost-effective options for their needs (an insurance policy checklist might help with this effort). As always, a credible, reputable, industry-known cyber insurance provider should be chosen.
  8. Work to achieve resilience, not to merely avoid risk. Leaders need to concentrate on the resilience of their entire organization, as risks can be mitigated but not eliminated. The first step is obviously hardening the network through monitoring tools and technical countermeasures. However, managers should pay attention to the implementation of technical and administrative controls and personally review the results of any security assessments and testing to get an understanding of where attention is needed. Working on strengthening the company's security posture, rather than concentrating mainly on incident response, can go a long way in protecting the business and ensure its quick recovery in case of trouble.
  9. Don't exist in a vacuum. Many companies are used to guard themselves against their competitors but collaborating with others in their own industry when it comes to IT security could be a winning strategy. Sharing information with similar companies nationwide or even abroad can facilitate the sharing of lessons learned, the identification of trends and common warning signs. It also aids the creation of new standards and, in general, strengthen the resilience of the entire industry to attacks.
  10. Always have a plan B. This entails a backup plan. Proper disaster management and business continuity plan, as well as an effective data recovery strategy, can make the difference after an incident and allow for quick come back and less financial impact. Leaders can have a role in identifying the needed recovery tempo through the preparation of a business impact analysis (BIA) created with the data gathered during assessments. The recovery time for IT resources and operations need to align with the recovery time objective identified for all business functions and processes.

Conclusion

In an organization, leaders have a fundamental role in setting the tone for a stronger security posture, from urging the revamping of security policies and procedures to funding effective users' awareness training to empower them to take better control of digital assets. Because the growing number of cyber-attacks on critical infrastructures require a decisive approach from managers that need to be more involved in the IT decisions and need to better understand the demands and requirements of their information systems environment.

All told, the amount of involvement, energy, and funding invested in the strengthening of the company's cybersecurity posture has a direct impact on the survival capability of the organization in a time in which cybersecurity incidents are on the rise.

References

Brecht, D. (2017, November 6). Cyber Security-as-a-Service: A Solution for Defending Against Network Attacks. Retrieved from

https://resources.infosecinstitute.com/cyber-security-service-solution-defending-network-attacks/

Kail, M. D. (2017, May 12). 5 Steps to Maximize the Value of your Security Investments. Retrieved from http://www.darkreading.com/threat-intelligence/5-steps-to-maximize-the-value-of-your-security-investments/a/d-id/1328862

Lindley, P. (2015, April 7). IT Security Awareness Programs.

Retrieved from

https://resources.infosecinstitute.com/it-security-awareness-programs/

National Cyber Security Centre. (2016, August 9). Guidance: 10 Steps to Cyber Security. Retrieved from https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

New England Network Solutions, Inc. (n.d.). 3 Services you should consider outsourcing in cybersecurity. Retrieved from

https://www.nens.com/3-services-consider-outsourcing-cybersecurity/

Paganini, P. (2017, November 29). Top 10 Cyber Security Predictions for 2018. Retrieved from

https://resources.infosecinstitute.com/2018-cyber-security-predictions/

Pal, R., Golubchik, L., Psounis, K., & Hui, P. (2014). Will cyber-insurance improve network security? A market analysis. INFOCOM, 2014 Proceedings IEEE. DOI: 10.1109/INFOCOM.2014.6847944. Retrieved from https://pdfs.semanticscholar.org/0683/95cb77baa8b26e0bd22f42710cc0e603261b.pdf

Pratt, M. K. (2012, January 13). Cyber Insurance Offers IT Peace of Mind -- Or Maybe Not. Retrieved from https://www.cio.com/article/2400494/security0/cyber-insurance-offers-it-peace-of-mind----or-maybe-not.html#tk.drr_mlt

PwC. (n.d.). The Global State of Information Security® Survey 2018. Retrieved from https://www.pwc.com/us/en/cybersecurity/information-security-survey.html

Secure360 and UMSA. (2017, December 22). 2018 Cybersecurity resolution checklist. Retrieved from

https://secure360.org/2017/12/cybersecurity-resolution-checklist/

SecureWorld News Team. (2018, January 16). Have You Taken This Step to Sustain Your Security Program in 2018? Retrieved from

https://www.secureworldexpo.com/industry-news/how-to-sustain-information-security-program

Telappliant. (2017, June 15). Top 15 tips to improve cyber security. Retrieved from

https://www.telappliant.com/blog/improve-cyber-security/

Threat Analysis Group, LLC. (2010, May 3). Threat, vulnerability, risk – commonly mixed up terms. Retrieved from
https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

Verizon Data Breach Investigations Report. (2017). Verizon's 2017 Data Breach Investigations Report. Retrieved from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

World Economic Forum. (2018, January 17). The Global Risks Report 2018. Retrieved from https://www.weforum.org/reports/the-global-risks-report-2018

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.