WBJ: Colborn Lends Expertise to Cybersecurity Table of Experts

Who in an organization is responsible for cybersecurity?

Within an organization, everyone has a role to play when it comes to cybersecurity. After all, an overwhelming majority of cyberattacks start with human interaction. Hackers don’t necessarily care if the device they’re attacking belongs to a salesperson, manager, or executive, as long as they can weasel their way into the system. Once they break into an entry point, hackers can snake through systems and hunt for valuable information.

Starting with leadership, organizations should provide their employees with tools and training to become gatekeepers to their data. In larger organizations, an entire team may be dedicated to security, managing all aspects from strategy to monitoring, threat detection, and response. On the other end of the spectrum, individual employees should be mindful of safe internet best practices when using company equipment.

Who in an organization is responsible for maintaining cybersecurity policies and procedures to ensure that they are current?

One of the easiest ways to ensure your cybersecurity policies and procedures are current is by working with a cybersecurity or managed cybersecurity partner that can provide CIO-level guidance and strategic road mapping. Cybersecurity is an expertise that changes rapidly, and staying current with new threats and technologies requires dedicated knowledge and resources.

For larger organizations, the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) should provide overall guidance for cybersecurity policies and procedures. Senior leadership can help establish the support required to establish buy-in from the rest of the organization.

Is a cybersecurity program limited to the IT department/service provider?

Threat actors strike at all levels of an organization, so everyone must have the tools and training to defend the business from cyber threats. Having a single point of failure regarding organizational security is not advisable.

Other departments outside of IT/cybersecurity should also be included from an administrative standpoint—for example, involving human resources to ensure that all employees of an organization have been through security awareness training and that their training has been documented for compliance.

How often should a cyber program be reviewed, and who needs to participate in that review?

There should be at least a quarterly review of a cybersecurity program to ensure it’s on track with the latest cybersecurity trends and regulations. New threats and vulnerabilities are discovered daily, and it’s vital to review controls and incorporate novel, sound strategies as needed. You should include the CIO/CISO, managed services provider (MSP) senior leadership, and human resources in the quarterly review and record all meeting minutes for reference.

What is the importance of getting management buy-in on a cybersecurity program?

Senior leadership buy-in is essential to enact change within any organization, and cybersecurity isn’t any different—it’s not just some switch you can flip and turn on. Technological security solutions, security controls, and organizational policies are all involved in an effective cybersecurity strategy. Management/leadership sets the example for employee buy-in. Additionally, leadership has the authority to make policy compliance enforceable.

What is the best approach or philosophy to building an ideal cybersecurity solution?

There’s no such thing as a 100% perfect cybersecurity solution, but with more layers of protection, you can ensure your business is as safe as possible. Think of the individual layers of cybersecurity like slices of Swiss cheese—each one has a few large holes where a threat could pass through, but when you stack slices on top of each other, you cover up those holes, so the only way to get through the stack becomes narrower and narrower.

In building an ideal cybersecurity solution, you need the technology in place to help keep your business safe, the people/processes to ensure the company stays safe, and the education to ensure everyone in the organization knows how to recognize and report cyber threats.

While building your security structure, security awareness training (SAT) for your users is paramount. Social engineering accounts for around 90% of cyberattacks; it’s, by far, the easiest way for a threat actor to breach an organization. Providing SAT and phishing tests creates a collaborative culture within your organization. Users help report suspicious activity rather than being too afraid to report a potential incident. Fostering a good internal security culture can be incredibly helpful in preparing for possible targeted attacks.

What aspects of cybersecurity have become critical for organizations that have adopted a work-from-anywhere employment model?

Work-from-anywhere made everything more challenging for organizations to protect equipment, networks, and data—on-site cybersecurity resources no longer protect company equipment. Instead, endpoints are out in the wild and vulnerable.

Organizations must include some sort of multifactor authentication (MFA), especially with cloud SaaS resources. The beauty of MFA is that it adds verification to the login process, so even if usernames or passwords are compromised, the threat actor can’t easily gain access.

Additionally, endpoint management tools are all essential to secure data and track risk. Cybersecurity solutions like endpoint detection and response (EDR) work by monitoring networks and endpoints (computers, mobile devices, printers, tablets, etc.) in real-time to detect malicious behavior. When the system detects malicious behavior, it quarantines devices until threats can be investigated. Not only does EDR protect endpoints, but it helps prevent endpoints from carrying threats back to on-site networks when employees return equipment from outside the office.

If your organization doesn’t have a huge technology budget, what are two tools you definitely need in your stack?

Building a cybersecurity stack requires strong leadership buy-in and a long-term implementation plan. To get started, security awareness training (SAT) and multifactor authentication (MFA) are the most essential and accessible tools you should incorporate into your organization’s cybersecurity plan.

Establishing controls based on ISO 27001:2013 or CMMC is a strategy you could employ.

What are the three key things you should be looking for in a managed cybersecurity partner?

First, a managed cybersecurity partner should employ similar tools, practices, and procedures that they’re recommending for your organization. A partner with an industry-known certification like AICPA SOC 2 is a great start—these certifications show that the origination has proven they employ secure practices. Keep in mind that there should be proof that the audit was completed across the board and not in one specific area of the organization. Many MSPs don’t certify the entire organization yet still tout their compliance.

Secondly, they should be well-versed in creating a cybersecurity roadmap for their clients. Many clients will not have the budget to incorporate expensive security solutions, and it’s crucial to demonstrate the initial steps as a low-cost risk mitigation strategy to build a secure environment and relationship with trust.

Lastly, they should be knowledgeable in assisting the client in navigating compliance pertaining to their vertical in a cost-effective manner.

Is penetration testing necessary to assess risks?

Penetration testing is vital for anything that employs internet-based services like websites, SaaS, remote desktop gateways, etc.; however, penetration testing is also costly. Active penetration testing can cost upwards of $10,000 per asset.

Persistent, highly visible services provided by an organization should have yearly, active penetration tests. Additionally, the tests should happen when there’s any significant change to an asset.

Alternatively, passive vulnerability scans are much cheaper and can be completed with cloud tools such as Tenable or Qualys. They can help organizations identify external vulnerabilities at a lower cost and provide insight into what threat actors see when searching for targets.

What do Wichita business owners need to know about the evolving ransomware pandemic?

Our primary strategy is a “defense-in-depth” or multilayered approach to cybersecurity. This strategy can include educating clients on threat vectors, implementing multifactor authentication, employing immutable backups, enabling signature and behavioral endpoint protection, event log and information management, SaaS protection and auditing, intrusion detection, vulnerability scanning, and monitoring via a 24/7/365 security operations center that can correlate all of that information as an extended detection and response solution.

How do you create an incident response plan?

We recommend developing a separate incident response plan for every function within your organization—for example, every file server, application cluster, etc. Each function should have defined stakeholders; identified assets; assigned risk designation; a process of identifying, protecting, detecting, responding, and recovering from the incident; and a possible breach notification plan, depending on the asset.

How can cyber insurance help Wichita business owners transfer some of this risk? What does cyber insurance cover today?

Cyber insurance can establish a good primer for an organization to begin its own journey to security best practices. While collecting cyber insurance quotes, your organization will likely uncover vulnerabilities you didn’t initially recognize.

Broadly, cyber insurance covers liabilities caused by the breach. This facet protects the organization from privacy-related fines if personally identifiable information or personal health information is released due to the breach.

How does cyber insurance affect service delivery?

Cyber insurance has affected how service providers access client assets. It’s essential that the service provider can guarantee protection to privileged accounts. Multifactor authentication (MFA) requirements call for documentation systems to employ a TOTP software token within the solution to access the client.

Service providers also must consider the downtime caused by incident response investigations. They should create a method to efficiently offload data snapshots to the insurance company to quickly restore client operations.

In light of the difficult cyber insurance market, what are some strategies that Wichita business owners can employ to ensure placement and favorable terms

Multifactor authentication (MFA) on cloud resources such as Microsoft 365 is imperative to achieve a reasonable cyber insurance rate. In fact, some insurance companies require it for approval. Endpoint detection and response (EDR) and tested backups are also critical for ensuring a reasonable rate.

What are some of the trending breach response and insurance claim issues that should inform Wichita business owners’ approach to managing their cyber risk?

Business owners should consider cyber insurance like a safety cushion if their cybersecurity solution is compromised—one thing you need to consider is the downtime caused by incident response investigations.

Cyber insurance incident investigators will want to analyze the status of an asset that has been compromised, and this investigation can create days of downtime for an organization. The dollars add up quickly and painfully when your employees can’t do business.

In the same vein, as part of their cybersecurity strategy, businesses should create a method to offload data snapshots to the insurance company quickly so that client operations can be restored promptly.

What can employees do to help an organization’s cybersecurity program?

An excellent security awareness training program can foster a company culture of teamwork to protect an organization. Creating a trusted flow of information from employees to IT leaders and administrators is important to help find threat vectors.

Creating a fear-based culture built on repercussions related to breaches and threat events will only delay your response time and hurt your overall security plan. Conversely, choosing a security awareness training provider should give your employees memorable training and foster a team-based cybersecurity mentality.

As a technology partner, High Touch specializes in building comprehensive technology solutions for businesses, including cybersecurity. Please contact us if you have any questions or are interested in learning more about Managed Cybersecurity and Cybersecurity solutions for your business.