Creating a Healthy Cybersecurity Framework
Cybersecurity continues to be a hot topic in business, and a proper framework may determine the long-term health of your organization. Although cybersecurity may seem a daunting topic to address, it can be managed in the same way you manage your personal health.
Here are some diagnostic questions for your organization to consider when approaching a health cybersecurity framework: Do you have a detailed incident response plan for a data breach? Have you conducted a test run? Do you have a cyber insurance policy that adequately protects your organization? Do you understand its terms and requirements? Have you incorporated cybersecurity expectations into your third-party vendor agreements? Have you conducted a security audit of those vendors to determine if they are following your cybersecurity practices?
Tip
“One common mistake is not including a vendor's subcontractors in cybersecurity best practices considerations.”
Much like going to your physician for your annual checkup, it is vital for any organization to conduct regular cybersecurity assessments. Cybersecurity in its simplest form is the protection of digital information from compromise through use of electronic systems and protocols to prevent loss or theft. Far more than passwords and firewalls, cybersecurity requires a close working relationship between C-suite, legal, and IT personnel to determine what the organization's valuable digital assets are and how they are being stored. Cybersecurity is an organization-wide risk management issue — not just an IT or CIO issue — with broad legal implications. Once digital assets have been identified and located, the organization should determine all access points and those with access. Armed with this knowledge, an organization should be able to design a security risk management framework that will mitigate the likelihood of intrusion.
Establishing metrics for your framework will result in better controls and improvements over time, including monitoring the types of cyberattacks the organization is receiving — distributed denial of service (DDoS), network intrusions, data tampering/thef — and what types of endpoint monitoring and protection the organization is implementing, e.g., encryption coverage, regular patches, anti-virus/anti-malware, training employees and organizational partners is the most critical component, as your framework is only as strong as your least security-conscious employee or vendor.
This article was originally published in Today's General Counsel, Winter 2020, and continues in full at the link listed.