Every company, regardless of size, industry, or location, needs a cybersecurity game plan. Whether you’re a mom and pop shop or a top shelf fortune 500 enterprise, your organization is vulnerable to the growing number of cyberthreats in the digital space. To combat current cyberthreats, inevitable cyberattacks, and potential data breaches, you MUST have a predefined, systemic approach. This approach should encompass 4 phases:
Research: Anticipating threats and identifying vulnerabilities
Preparation: Employing defense strategies and shield from threats
Execution: Responding to an active attack or breach
Reassess and Revitalize: Reassessing strategies and tactics based on an incident
Last week, we discussed some of the most common cyberthreats currently posing the greatest risk to the market. This helped to familiarize you and your company’s cyber heroes with the most volatile threats for 2017 and 2018. There isn’t much you can do to deter black hat hackers from crafting new cyberattack campaigns aimed at compromising your cyber defenses. You can, however, identify and proactively address vulnerabilities to protect your organization from increased susceptibility to malicious breach attempts…
In this post, we’ll walk through phase one of your cybersecurity plan of action by evaluating information used by your organization and how this data translates into your organization’s cyber vulnerability.
Identifying and Assessing your Organization’s Threat Vulnerability
In your efforts to safeguard data from hacktivists and cyber criminals, you must adopt a method of identifying the vulnerabilities that leave your business all the more susceptible to a breach. This method is commonly referred to as “risk assessment.”
This simplistic assessment* outline can be used by any organization, regardless of industry or size!
However, before we explain the process, keep in mind you’ll likely need to collaborate and gather input from other members of your team… Directors of applicable departments, managers of projects, IT specialists, and legal personnel will likely be helpful in identifying some of the information you’ll want to include.
Step 1: Identify Information your Organization Uses and Stores
To begin the process of assessing your organization’s risk, you’ll need to compile the pieces of information received or sent as part of your business’s transaction cycles and workflows. This may include: email addresses, phone numbers, account numbers, lines of invoice, SSNs, or other proprietary information. This is an excellent time to collaborate with other members of your team in compiling an accurate list and avoiding accidental omissions. We recommend segmenting and grouping all the individual pieces of information into categories that make sense for your business.
Expert Tip: Our CTO, Don Kratt suggests trying this quick process of organizing if your business has no pre-defined data categories:
- Write each piece of information on a Post-it.
- Physically segment the Post-its into groups (categories) with consideration to their similarity. Create the number of groups that makes sense for the amount of data gathered and your organization, but try and keep it under eight if you can.
- Label the groups based on the pieces of information in each group.
Make sure to include all internal—information associated with your employees or the organization itself—and external—information associated with your clients, customers, partners, and other stakeholders—data. Additionally, consider labeling each piece of information as either “internal” or “external.”
Step 2: Determine the Information’s Value
Now you have a working outline of all the pieces of information that a cybercriminal could potentially gain access to. The next step is to determine each piece of information‘s value. When you determine a piece of information’s value, safeguarding and security determinations become all the simpler!
In determining value, an ordinal scale is likely more efficient than attempting to assign a monetary value to a piece of information. Consider using a 0-3 scale, where 0: no value, 1: low value, 2: moderate value, and 3: high value. To arrive at a logical value, evaluate every piece of information using these key questions:
What would take place if this information were released to the public?
If this information was modified or communicated incorrectly, what further implications could occur?
What would happen should my customers or staff be unable to access this data?
Step 3: Determine the Information’s Threat Vulnerability
After determining each piece of information’s value, you need to determine the threat vulnerability index of each group. To do this, take the piece of information with the highest-ranking value (0-3) in the group, and assign that same value as the group’s threat vulnerability index (1: low, 2: moderate, 3: high).
Notice that averaging the values of all the pieces within a group is not recommended… This could potentially leave a high vulnerability (3) piece of data in a group with a moderate (2) or low (1) threat vulnerability index.
The finished product will yield a clear picture of how your data comprises your company’s vulnerability to cyberthreats, and is a required piece to next week’s post: determining your organization’s right-fit security approach.
Keep in mind… This is a simplified method of identifying and analyzing vulnerabilities based on information your organization uses or stores. Based on your organization, industry, use of data, and familiarity with data use, you may not be able to determine the value of your information and data without a cybersecurity threat analyst. Particularly, smaller organizations with heavy data use and no IT personnel should consider seeking an outside resource for accurate evaluations.
By determining your organization’s overall cyber vulnerability, you’ve now completed the first phase in comprising your systemic cybersecurity approach. This should help provide some clarity in deciphering what groups will require more security resources from others.
Next week, we’ll identify different defense strategies and determine if, based on your organization’s threat vulnerability, your security efforts can be housed within an internal IT department or if outsourcing through external security vendors makes the most sense for your organizational needs.
AssureSign navigated a similar process when we developed our security protocol! We comprised a robust security infrastructure that secures and defends eSignature data, earning the trust of our many customers and partners! Take a look at how AssureSign defends against cyber vulnerabilities in our eSignature Security Relay Race Whitepaper!