Cybersecurity is a challenge for all the industries cut across various sectors. Be it small, medium, or big--cybersecurity is now a major domain that companies can’t afford to neglect. The reason: we’ve witnessed umpteen incidents ranging from companies as big as Apple to tiny little businesses. All businesses are potential victims of cybersecurity, so that calls for the responsibility to secure an organization to be shared. When you centralize responsibility and decision making, you’re asking for a disaster -- at least that’s how it is in cybersecurity.
According to Lance Spitzner, director of SANS Security Awareness and a NCSA Board of Directors member, “In the past, organizations may have implemented security awareness activities merely for compliance or behavior change, but now people are looking at ways to go beyond just behavior and make security part of the culture.” He further stated that "Awareness programs are important because organizations are repeatedly seeing people as the primary targets for bad guys; cybersecurity is both a technical and human problem – and it requires a technical and human solution."
With the National Cybersecurity Awareness Month going on, the timing for making policy and cultural changes to your organization is perfect. Here, in this article, we compile a list of security tips on how to achieve the sharing of cybersecurity responsibility that includes recommendations from National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Identify your gold mine
Before you jump into framing policies to protect your data, you should identify what is the most valuable data of the organization. Until you don’t, the security policies you frame could end up securing less important data at the cost of the valuable information.
Build to protect
Once you’ve identified the gold mine, the next thing you do is protect. Thus, all the security policies should be drafted such that their primary goal is to secure the information in hand. After you frame a policy, it is quintessential to test and assess its impact.
Ability to detect
Cyber-incidents can occur from any vulnerable part of an organization. Thus, most of the employees should have the ability to detect a breach or suspicious activity in time. Else, the shared-responsibility policy will soon bite the dust. Set up systems that post alerts--preferably--prioritized by a severity index. This will help employees know what incidents to report and what to ignore.
Ability to respond to an incident
Any unwarranted incident should be immediately contained and responded with appropriate actions. Therefore, make and practice an incident response plan that will put your business operations back on the track as early as possible, with minimal impact. Time is crucial when an incident occurs: devolving decision making to lower levels could significantly reduce the response time.
Know to bounce back
Business should always prepare for the worst. Plan ahead on how to respond and get your operations back to normal after an unwanted security incident. Also, you must consider the repercussions that may include assessing any legal obligations.
With these tips, you can create a culture of shared-responsibility that defines accountability more accurately. In addition, the security practices will also prevent from any harmful incident that may have occurred in your organization. Clearly, the future of cybersecurity is depended on all the stakeholders of a business. No single stakeholder can afford to be negligent regarding cybersecurity, as that could spiral into a grand disaster no one had imagined before.