Cybersecurity Basics in an Ever-Connected World
Data and privacy are increasing concerns in today’s business environment. Many states and foreign governments have passed legislation that attempts to address some potential risks existing in our hyper-cyber environment. Recently, on December 13, 2020, cybersecurity firm FireEye detected that the SolarWinds’ Orion Network Management Products were compromised by a foreign-state sponsored cyber-espionage intrusion. This wide-ranging campaign impacted many government entities, from federal to local agencies, and private businesses utilizing the Orion software across multiple industry sectors.
Organizations are often responsible for implementing commercially reasonable cybersecurity protections, with obligations arising under laws, industry standards, and contracts. While the incident mentioned above is sophisticated and the related investigation ongoing, this incident and others have made clear that there are relatively simple steps each and every organization can take today to help mitigate cybersecurity risks and strengthen defenses.
Many cybersecurity attacks or intrusions seek to exploit vulnerabilities that exist in every organization, namely individuals and technical vulnerabilities. In order to harden these universal vulnerabilities, an organization should conduct a cybersecurity audit and risk assessment, preferably annually and, if possible, through a third party.
A cybersecurity audit can take many forms but, at its basic level, should cover the following:
- Documenting and confirming current hardware (any not decommissioned) and installed software (even if unused);
- Examining current organizational policies relating to the security practices, both physical and digital;
- Examining data flow across the organization – What data is acquired by the organization? Where does the data go? Who has access? How is the data retained? How is the data disposed?
- Reviewing technical frameworks relating to the foregoing.
By understanding its cyber assets (both hardware and digital), an organization can better analyze its risk in the cyber world.
A cybersecurity risk assessment helps an organization understand the role of cybersecurity in its day-to-day operations and impact its business model. A risk assessment should include technical, operational, and executive personnel. The risk assessment should include discussion of the following:
- Threats to the organization – based on industry, organization, personnel, etc.;
- Vulnerabilities in the organization – digital infrastructure, environment, etc.;
- Probability of an event occurring; and
- Impact on organization if an event were to occur.
The risk assessment gives the organization the opportunity to understand its exposure and the implications cybersecurity has on day-to-day operations. The industry an organization operates in and its own complexity can change cybersecurity expectations and requirements.
The first step in implementing a cybersecurity and privacy compliance framework is understanding how these issues fit within the organization as a whole. Software and tools can help strengthen an organization’s cybersecurity defense; however, organizational awareness, deliberation, and buy-in across all levels can assist in taking cybersecurity protection to the next level.