Given today’s threat landscape, cybersecurity needs to be a top concern for every company. Still, many companies are not taking essential measures to firm up their security measures because they feel overwhelmed and under-resourced. Matt Lee, senior director of security and compliance at Pax8 and member of the GTIA Cybersecurity Trustmark working group, knows this struggle well. But he is a staunch believer that everyone can improve their security positioning a little bit at a time.
“We just saw so very few people taking action. A lot were signing up [for the Cybersecurity Trustmark Readiness Path] and saying, ‘We’re going to do it.’ But there was not a lot of action,” he said.
To help those solution providers and MSPs, the working group developed a series of four videos to provide a preliminary roadmap for immediate improvements to their cybersecurity approach. Lee stresses that perfection should not impede your progress.
“The important thing is to pay attention to something. I don’t care what that is. Pick things that can have an additive effect to your success,” he said.
Here’s a look at each of the four videos that focus on a different strategy or process.
Pick a Decision Maker
One easy way companies can improve cybersecurity is to assign an information security officer (ISO). The working group identified that appointing an ISO is often overlooked, especially in smaller companies. But the group urges that ISOs are essential to empower one person with the responsibility and capability to make final decisions.
“Who is the information security officer? Who is that right person? The security officer doesn’t need to be a CISSP or have lots of titles,” said Dave Alton, chief technology officer of Strategic Information Resources. “Being the ISO is all about communicating up to executive leadership and making sure the staff understands what we’re doing.”
The group encourages companies to appoint a security officer because it is the first step towards governance which will never be achieved without that role assignment. They stress that it doesn’t matter who it is when you start out, just that someone has the power to make decisions.
“Go name that person who is executively empowered, who is responsible and who makes those decisions. Just go with it. You can always change it later,” said Lee.
Watch the video: Assign an ISO
Document Your Assets
Another critical component of improving security involves creating an asset inventory. Document what is connected to your network for both hardware and software. Alex Spigel, co-founder and COO of Choice Cyber Solutions, recommends an initial discovery process to identify all your assets. She suggests starting with a scanning tool to find IP addresses attached to your network, then moving to items that are used every day, such as mobile devices and laptops, then looking at your vendors and other devices until you’ve finally gone through all your technology.
“It’s really easy to manage once you get organized. Just get it down,” said Spigel.
An asset inventory doesn’t need to involve a complex tool, it just needs to be documented and accessible. The group encourages putting items down a little bit at a time.
“It doesn’t have to be complicated. Start with Excel. This is a crawl, walk, run scenario. You need to understand what you have. Putting information in an Excel spreadsheet is a great place to start. Don’t make this harder than it needs to be,” said Alton.
Once you see it getting more complicated, then you can consider automating with a tool, but the group stresses the importance of doing the manual work first.
Watch the video: Document Your Assets
Pick a Control and Make It Better
Select one control and pick it apart. The GTIA Cybersecurity Trustmark journey is based on the Center for Internet Security’s 18 Critical Security Controls. It’s impossible to focus on all simultaneously. Lee recommends focusing on one control at a time and making small improvements along the way.
Choose one control and dissect it in great detail. This will force you to figure out how to improve the security for that one single component. Choose whichever control needs review and do a deep dive with your team.
“It’s complex and it really does need a conversation with a team. This is so hard to do by yourself. I don’t have enough institutional knowledge to know everything. Period,” said Alton.
Watch the video: Deep Dive on a Control
Figure Out Who Can Access Your Data
Do you know who can really access your data? It can sometimes be difficult to determine because there are so many more people with access beyond employees. Figuring out who those people are and what kind of access they have is critical to firming up your cybersecurity.
Consider all the people who can access your data from a virtual and physical perspective and determine how you can strengthen your security approach. The group discussed access granted to vendors, along with how a janitor might pose a potential risk because of their physical access.
“Oftentimes we really get focused on the technology, but it’s more than that. Everyone is responsible for that data security access and it’s not data security access on computers, its data security access. Where can they get to the data and what lives there,” said Alton.
Even further, there may be entities you don’t know about. Matt Topper, president of UberEther, suggests you see who you are paying to really delve into who may be able to access your data.
“The most effective way tends to be talking to finance to see who’s getting the bill,” he said.
Make a list of everyone who can access your systems and assign classification types to limit access to sensitive data.
Watch the video: Who Works Here?
The journey may seem overwhelming but there are plenty of resources to help you get started. The GTIA Cybersecurity Trustmark can help you along the way.
Learn more about the GTIA Cybersecurity Trustmark
