In the ever growing landscape of the networked world, users and organizations are faced with the challenges posed by rapid and continuing growth and evolution of technology. Along with the benefits and convenience of IoT devices, SCADA systems and corporate networks, come the threats posed by outside threat actors and insider threats. It is the challenge and responsibility of the cybersecurity professional to address these threats and challenges. In order to protect our organizations and users, I believe that we as cybersecurity professionals can succeed by considering current ethics and standards, implementing a dynamic cybersecurity training program, and mindful investment into cybersecurity infrastructure.
TAILOR A SECURITY GOAL CENTERED CYBER POLICY THAT MEETS THE COMPANY’S SECURITY GOALS, AND MEETS EXISTING ETHICAL STANDARDS.
The first and most important step is tailoring a company cybersecurity policy. An effective company’s cybersecurity policy foundation is built on compliance to existing standards, and is one that fits the company’s security goals. By aligning the security goals with existing standards, companies can protect their reputation, maintain customer and client trust, build loyalty, protect from data breaches and malware as well as continually improve security posture (“What is cybersecurity compliance: Comptia,” 2023). Understanding the security goals of the users or company is crucial in in developing a tailored policy. By assessing the physical and virtual security requirements of assets, trade secrets, product specification or code to protect, a specific and tailored cybersecurity policy can be created. A training program can then be built alongside policy to address the threats that would result from the specific vulnerabilities that would apply to a company. As cybersecurity professionals, it is our responsibility to familiarize ourselves with existing ethical and standards when tailoring our own cyber policy. Cybersecurity professionals can create a more robust policy by drawing upon knowledge from existing standards and frameworks such as those of the NIST, HIPAA, Privacy Act, FISMA and other international standards (Rodriguez, n.d.). Not only does reviewing existing references help provide a foundation for creating a tailored policy, it benefits the organization by ensuring compliance with existing local, national and international regulations.
CREATE AND IMPLEMENT A DYNAMIC CYBERSECURITY TRAINING PROGRAM.
In order to meet and address these challenges, we must develop a dynamic training program based on tailored policy, and implement it with consideration to all users and current threats. The dangers to a company’s network can include malware and attacks such as viruses, worms, DDoS attacks and phishing. Data breaches, supply chain attacks and botnets are also some of the other top threats that businesses face in today’s cyber landscape (Miner, 2023). Vulnerabilities caused by employees can also be dangerous. For example, the habits of employees engaging in non-work-related internet surfing “costs U.S. employers a whopping $85 billion a year (Kawamoto, 2022).” Other internal threats to cyber infrastructure includes activities such as browsing social networks, online shopping, online gaming and gambling and even pornographic browsing. These cause not only losses in workplace productivity, but like external threats, it opens up backdoors and vulnerabilities for cyberattacks and malware putting company assets at risk. Insider threats can also use unsecured technology to leak company secrets and damage a company’s IT infrastructure. In order to address this, we must always consider the user and ensure that everyone receives training. If the employees mostly work at home or work different shifts, an online training with accompanying exam or quarterly meetings will be effective. If employees work at an office, an instructor led training session will be more appropriate. Understanding the audience is important in making sure the training is accessible by all of a company’s employees. For all employees, training should begin at on- boarding and refresh regularly (Forbes, 2023). Training should be appropriate to the level of access and responsibility, and employees with more access need higher level and continued training to meet the demands of their responsibilities. “The key to effective training, even for technical and SME staff members, is to stay current on the latest trends in attack vectors and exploits and train all staff to spot them regularly” (Nath, 2022). In addition, Forbes Expert panel recommends a program that is easy to understand, implement and audit (Forbes, 2023). A red and blue team internal audit structure would be beneficial to the company to ensure cybersecurity compliance and to identify key areas to go over and improve in future cybersecurity training.
MINDFULLY INVEST IN TECHNOLOGY AND SECURITY SERVICES.
In 2021, data breaches cost $4.24 million including direct expenses, technical investigations, legal fees and indirect expenses diminished customer trust and lost business, and according to a KPMG study, 19% of consumers “will likely avoid doing business with organizations that have suffered a cyberattack” (“Why investing in cybersecurity is more important than ever for businesses,” 2023). To complement a tailored cybersecurity policy and a dynamic cybersecurity training program, investment should be placed in information technology infrastructure and systems. Software considerations can include internal and external proxy and firewalls to protect the identity of an organization and it’s as well as prevent malware, DDoS and data leaks. Hardware considerations can include the use of backup and or spare servers, coupled with backup power and cooling to provide redundancy against grid failure. Physical security services such as 24/7 monitoring and physical security walkthroughs can also complement the security of an organizations IT infrastructure. In addition to providing security and redundancy for data, IT systems and infrastructure should fit an organization’s use case to be effective. If a security suite or service is too complicated or hard to use by the user or system admin, then it is not effective at the least and at the most can pose a security risk or vulnerability. If most employees in an organization work remotely, investment in secure mobile phones and laptops would benefit the cybersecurity program of the company. If a company utilizes a local network with no connection to the outside internet, redundant and ruggedized servers, UPS and backup power grids would be beneficial solutions to invest in. Investing in well supported equipment is also crucial. Mike Jennings of Tech Radar reminds stakeholders that a small business with a simple infrastructure should consider buying multiple licenses for a security suite, while larger companies might consider cloud based features. To protect your business, you have to weigh which products work for you (Jennings, 2022). Finally it is important to ensure that equipment, software and services are regularly updated. When shopping for security equipment, software and services, those that are more comprehensively supported by the vendor are a good investment. Fortinet’s article on cybersecurity states, “It’s important to keep in mind that your technology portfolio is only as good as the frequent and quality of its updates. Frequent updates from reputable manufactures and developers provide you with the most recent patches, which can mitigate newer attack methods (Fortinet, 2023).”
CONCLUSION
In today’s networked society, investing in cybersecurity is needed to adapt to the emerging threats of the digital and connected world. The first step in success is creating a tailored cyber policy, from which an organization can greatly benefit by meeting their needs with the appropriate security measures, protecting a company from cyber threats and ensuring local, federal and international compliance. In creating a tailored policy, we can then provide the necessary guidance and framework to ensure that our cyber security measures and training are up to date and effective. Complementary to policy, appropriate technology and training are essential in running a successful business. Quality cybersecurity training ensures that policy is implemented and followed, providing employees with the necessary skills and knowledge to recognize potential threats and take appropriate steps to mitigate them. Investing in security services and technology provides security and protection to a business and its clients by keeping confidential data safe and secure, preventing financial losses and maintaining customer reputation and trust. Cybersecurity professionals must consider these steps to protect their users and grow their businesses.
REFERENCES:
Rodriguez, K., Alimonti, V., & Gullo, K. (n.d.). International Privacy Standards. Electronic Frontier Foundation.
What is cybersecurity compliance: Comptia. CompTIA.org. (n.d.). https://www.comptia.org/content/articles/what-is-cybersecurity-compliance
Miner, M. (2023, April 5). The top 12 security threats to your company network. SSI. https://insider.ssi-
net.com/insights/the-top-12-security-threats-to-your-company-network
Kawamoto, D. (2022, November 28). Cyberloafing: What is it and how to prevent it. Built In.
Forbes Magazine. (2023, July 18). Council post: Companywide cybersecurity training: 20 tips to make it “stick.”
Forbes. https://www.forbes.com/sites/forbestechcouncil/2023/07/14/companywide-cybersecurity-training-20-tips-to-make-it-stick/?sh=3e61cf729556
Nath, O. (2022, February 9). Top ways organizations can train employees to defend against Cyber Attacks.
Spiceworks. https://www.spiceworks.com/it-security/cyber-risk-management/articles/training-employees-against-cyberattacks/
Why investing in cybersecurity is more important than ever for businesses. BusinessCloud. (2023, August 25).
Cisco. (2023, October 27). What is cybersecurity?. Cisco.
Jennings, M. (2022, April 26). How to choose the right antivirus for your business. TechRadar.
Fortinet. (2023, November 12). What is cybersecurity? different types of cybersecurity.
Fortinet.https://www.fortinet.com/resources/cyberglossary/what-is-cybersecurity