1

NINE STEPS TO CREATING A WORLD-CLASS INFORMATION SECURITY PLAN

Securing your data takes more than the latest security software. It also takes sound management and an informed team.

Protecting what we own in cyberspace has evolved to become one of today’s top business challenges. That’s mainly because assets are no longer just physical, as they were 150 years ago. Security is no longer a matter of just rounding up the cattle and putting a fence around the herd.

Now, there are digital assets to protect, too.

Lawyers won’t help you much, either, when it comes to data security. They may argue your case in court or pursue those who infringe on your digital property, but they can’t do much to shore up your data vulnerabilities. No matter how thickly your organization pads itself with teams of lawyers, it won’t do much to protect your digital assets from the threats that loom in cyberspace.

These days, it takes a comprehensive, disruptive approach to information security to secure all your business assets. Cyberspace is about as vast a territory to protect as any, which makes creating an information security plan no small task. This guide is here to help.

A Guide to Protecting Your Assets in the 21st Century

The interdependence of technologies makes for an incredibly diverse and complex world. This world includes telecommunications, computer networks, and the quickly-growing sub-world of connected devices.

This guide is for business owners, CISO’s, IT managers, and others who seek to create an information security plan. It’s also designed to give leaders an idea of the landscape. Only by seeing the big picture can leaders and managers prioritize their decisions.

2

Grasping the Information Security Landscape

A good security plan focuses on the most serious threats at hand while also incorporating a plan for the future integrity of valuable assets.

Before you create your plan, it’s important to understand what you’re up against. Threats come in many forms, both hostile and negligence-based. They range from catastrophic events like all-out attacks on your company’s infrastructure, to cyber espionage, to leakage of intellectual property.

It’s that last threat, which can arise from inadvertent carelessness or from wilful theft, that poses one of the greatest security challenges today. The reason is clear: this type of security threat is employee-based. This is one reason why today’s security challenges must involve sound management. Training, oversight, and communications are key in this regard.

As you can see, an information security plan must involve a plan for management as well as a structure for technology mandates.

What follows is a five-part plan for businesses to protect their electronic assets. A 2015 Ponemon Institute study found that the average cost of a data breach to companies surveyed was £2.95 million, up 23 percent over the previous two years. The time to start your security plan is now.

Step 1: Know What You’re Protecting

Your cyber assets can be divided into two categories:

1. Data. This is your intellectual property, your customer records, your inventory database, your bookkeeping, your employee data

2. Systems. This is your website, your CMS, your online shopping cart, your security system for your building, your health & safety management system, your patient monitoring system, etc, depending the type of business you have

Step 2: Know Where the Threats Come From

Vulnerabilities for both types of assets stem from both technical and human sources. If your firewall isn’t strong enough or configured correctly, or if you don’t have one at all, that’s a technical issue. If your employees fall for phishing email scams, there’s your human vulnerability.

Again, cyber security is not just a technical issue—it’s a management concern, too.

On the other hand, if your employees are accessing company systems on unsecured devices, that poses both technical- and human-based threats.

3

Step 3: Understand the Scope of a Good Plan

Companies who understand that information security plans need to be cross-departmental, as well as top-to-bottom, will ultimately be more successful in protecting their assets.

Gone are the days when companies could simply rely on their IT departments to put up a firewall, install anti-virus software, and be done with it.

Security is no longer the sole domain of the IT department.

Creating and managing a successful data security plan takes, first and foremost, an informed vision from top leadership. Only through solid and consistent messaging from the C-suite will management be able to inject a security-minded culture at every level in an organization.

In other words, it’s great if managers understand how to protect data and systems, but for a plan to work, everyone has to work together. That includes team leaders and team players, right down to the new hire who’s about to access the company intranet on his own phone.

Step 4: Conduct an Audit

It’s hard to devise a customized, comprehensive plan for security without first conducting an audit. The best person to conduct a security audit is someone with security experience. Your firm’s security is still your own responsibility, however, so it’s good to know how to conduct a basic audit yourself.

Leaders can begin the process by taking stock of the following:

• data and systems that could be at risk

• offline systems which are at risk via USB ports etc

• assets shared or held outside your organization—by vendors, contractors, etc

The scope of an audit depends on your organization, your goals, and the industry you’re in. Banking, for example, requires regular, third-party audits to ensure compliance with federal and industry regulations.

If you’re a small business, chances are your audit can be completed in an afternoon and you can set your own benchmarks.

Step 5: Prepare a Risk Assessment

With the list of assets you’ve made in Step 4, now it’s time to assess the level of risk for each item on your list. Go down the list you made:

• What is the likelihood of an attack on each item in your security audit?

• What types of vulnerabilities are attached to each asset?

4

If you have a team, gather them and do some brainstorming on the risks your assets face. Then, begin to attach value to the risks.

• What is the financial risk?

• How about the risk to your brand’s reputation if assets are compromised?

In your brainstorming session, make sure to include conversations about the motivation for malicious cyber-attacks. That’s going to be tied to the value of the assets but also to the type of risk involved. In other words, customer data may have street value but your company’s website has competitive value. If your website goes down, who benefits? Try to cover all the risks from all angles.

Finally, do you already have a security policy? If so, your assessment serves to test how well that policy works in real life.

Step Five: Categorize Your Assets

Based on the audit and the risk assessment, you’ll be able to divide your assets into two categories: 1. those which require basic protection such as best practices

2. those which require more aggressive measures of security

The second category of assets may require outside services for protection, or more internal resources, or both. For instance, you may need to dedicate more employee time to protecting these assets. Perhaps some assets require an upgraded security management regime so training would be in order for some employees.

Step Six: Assign Responsibility

It’s important to assign responsibility for information security at your company.

According to recommendations outlined in a McKinsey white paper on managing cybersecurity, there are three areas of responsibility to account for:

1. Technology. Technical capability is essential for countering cyber-attacks and for minimizing vulnerabilities. Therefore, technical spending is largely considered a must if you’re going to be running a business these days. Companies should be well-versed in security best practices. These can include limiting access to employees on a need-to-access basis, for example.

2. People. This is key, especially as bring-your-own-device policies expand the range of hardware that’s accessing company assets. Clear procedures need to be spelled out and communicated with all employees. Training is a huge component of taking responsibility for the ‘people’ aspect of IT security. Testing your employees for compliance with policies should be considered, too.

5

3. Processes and procedures. If attacks do happen, there should be clear procedures in place for handling them. Leaders need to know about attacks as soon as they happen so they can galvanize their teams to respond properly. This includes not only making sure everyone at your company knows about attacks, but also understands how they happen, and learns how to protect against them.

Step Seven: Establish Your KPI’s

You’ve assigned responsibility for various aspects of cyber security. Now, how do you manage those roles? You’ll need a basis for checking performance, so your next step is to establish the key performance indicators (KPI) for each of the three areas of responsibility outlined above.

1. KPI’s for Technology. These are perhaps easiest to determine. Is your software updated? How long does it take for everyone in your organization to update their software after the update has been released?

2. KPI’s for People. Has everyone completed their security training? Has everyone read the guidelines and signed off on them? Is everyone practicing safe email operation? Are personal mobile devices being used for work purposes? If so, does that violate your policy? If it’s allowed, do all personal devices adhere to security standards?

3. KPI’s for Processes and Procedures. Is the data your company handles suitably encrypted? Is your website secure? If you operate using cloud services, is your system secure? Is data segmented properly?

Step Eight: Set Up a Management Review Process

KPI’s don’t help you much if nobody’s checking up on them. Establish a regular, routine review process. Managers, using KPI’s and a benchmark, should submit assessment reports for their departments.

Step Nine: Get Your Contingency Plan in Place

If your organization does experience a major security attack, what will you do? Preparing for this outcome is similar to preparing for any Environmental, Health, and Safety (EHS) incident. You enter three phases of response:

1. crisis management

2. recovery

3. incident reporting

For crisis management, how will you react when something happens? Plan how you’ll communicate with employees and stakeholders. Then plan how you’ll approach your system response. Will you take your website offline if you suffer a DDOS attack?

6

Recovery will undoubtedly involve your IT people, whether they’re in-house or contracted. You’ll want to repair any damages to data and systems, then plug up the ‘hole’ that caused the vulnerability, then restore your system back to normal operation.

However, you manage this last component (recovery), make sure it’s fast. The longer you wait, the more exposure you have to attacks.

Finally, you’ll want to draw up something akin to an incident report. Reporting on the circumstances that led up to the attack or the breach can prove to be valuable data when you’re revising your security plan. It’s also helpful for when you’re looking for ways to prevent future attacks.

You may also need to report to stakeholders. They’ll want reassurance that you understand the attack or the breach, so it’s less likely to happen again.

Conclusion

The bottom line is that every organization, no matter how small, has digital assets that are vulnerable and need protecting. Whether it’s via malicious hackers or careless employees, your company’s assets are at great risk if you don’t have an information security plan.

The steps outlined in this guide are simply a template for getting started with your plan. Every organization maintains its own set of unique digital assets and has its own set of vulnerabilities. While companies face similar cyber threats, each has to develop its own, specialized plan for security. The policies you create should be aimed at the employees you have, to protect the assets you hold, not those of some other organization.

We hope this guide has given you a foundation for creating your own information security plan—one that carries you through the coming years, and which will be adaptable as the threats evolve and your business grows.

Contact your Bright representive today for more information:

333 Latimer Rd, London W10 6RA | 020 3031 9500

sales@bright.co