The starting point for an effective cybersecurity plan is so simple, it’s often overlooked. You must develop a comprehensive list of what you have, including the growing amount of data that resides outside of your company, before even worrying about a protection plan. Put more bluntly:
You can’t protect what you don’t know you’ve got.
Not that many years ago it was easier to get your arms around your company’s information technology. The list of protection-worthy things was more physical – computers, CDs and backup tapes, etc. You could “see” much of what needed to be controlled.
As you are keenly aware, those days are long gone. Access credentials travel around in the memory of laptops and pocket-sized devices. Sensitive data not only reside on those same devices, but also in the systems of 3rd party SaaS providers and of your vendors and customers.
Know Your Environment
Simple, but not easy – your cybersecurity planning must start with a thorough assessment of what needs protecting.
Don’t take just our word for it. The Center for Internet Security (CIS) Cybersecurity Controls * spells out a 3-phased approach to implementing a thorough cybersecurity protection plan.
And phase 1 is “know your environment.”
The team at Endsight couldn’t agree more with this strategy. We manage the IT of over 300 small and midsize enterprises (SMEs), including the planning and implementation of appropriate cybersecurity controls. Our focus on security has earned us recognition by CRN four years in a row as a leading managed service provider in the security category.
Cybersecurity Planning Questions to Ask
Accounting for and accurately assessing a client company’s systems and information is the starting point every time. To get your process started, have your team consider these questions:
Can we produce a list of computers and data in use?
A list of computer assets is a good place to start. Then they can consider all the types of information in use across the company. Experienced cyber security professionals will understand where “hidden” or often-overlooked systems and data may reside.
What data do we have in the cloud?
Data from critical systems like ERP or accounting are easy to identify, but aren’t the end of the story. Document sharing applications and more obscure SaaS systems are likely to be in use within teams or departments.
What data do we have on our own computers?
Without strong controls and training in place, well-intentioned employees may inadvertently develop unsafe habits. Your team may find critical information on individual systems lacking backup and protection.
Who else has access to our data and what are they doing to secure it?
Customers, vendors, professional services firms… your data likely stretches far beyond your own staff and offices. Once again, having your cybersecurity project led by someone with experience will better ensure that the right questions are asked and all business processes are probed to discover potential risks.
How is information accessed via employee-owned devices controlled?
Cloud solutions and remote access to company systems enable your flexible workforce. But that additional access and productivity could be coming at a cost.
A partial list of what should be inventoried:
- Credit card, banking, and financial information
- Personally identifiable information (PII), such as Social Security numbers, health information, usernames and passwords, home addresses, birth dates, etc.
- Customer lists, product lists, pricing, etc.
- Company trade secrets, formulas, methodologies, models, etc.
- Applications used
Even if your company has invested in cybersecurity planning and protection, circling back to the “know your environment” phase can bring important benefits. You may also want to check out this overview of the recommended 3-phased cybersecurity implementation plan.
* The 18 controls developed and published by CIS are updated regularly and available for free on the organization’s website.