Have you heard of the “Stop Keep Start” exercise? It’s a technique to evaluate the behaviors an organization is using to support a strategy. We’re using this questioning procedure to look at practices that support an effective cybersecurity strategy.
We started with recommendations for what businesses should stop doing to enhance security. Then we addressed the cybersecurity basics that every organization should keep doing. In this article, we’ll go into our recommendations for what businesses should start doing. Go through all three articles and document your findings to take the first steps toward a more effective cyber defense.
How to Step Up Security
1. Teach Employees About Their Security Responsibilities
If your frontline cyber defense is your people, then you had better make sure that they understand the importance of the role they play to safeguard data and access to IT systems. Sit down with every individual employee and go through their security responsibilities and make sure they understand what is expected. Consider having employees sign off that they know and understand expectations.
2. Cybersecurity Awareness Training
Once people understand their role in security, equip them with training that enables them to fulfill their responsibilities. Ongoing cybersecurity awareness training is for everyone at every level of your organization. Phishing simulations are an important part of training, but so is training about business processes that act as security controls such as verification of requests for changes in financial procedures.
3. Get Strict About Permissions
Follow the Principle of Least Privilege when it comes to giving people access to data. Least privilege means that an employee’s access is limited to the information that is required for their role. Start with an audit of permissions to make sure that every job profile has appropriate permissions. Be careful when copying and pasting permissions from one person to another without verifying that access to data has not expanded from the original profile.
4. Get Serious About Protecting Access to Online Accounts
Your employees’ corporate and online accounts are doorways to your data and IT systems. Lock them down with Multi-Factor Authentication (MFA) if you haven’t already. As good as MFA is, it’s not impenetrable if employees aren’t paying attention and inadvertently authenticate an intruder. Good password management goes hand in hand with MFA. New technologies like Microsoft Intune, add a device level layer of security to account access.
5. Provide Company-Owned Equipment
If your employees are using their own equipment for work purposes, you don’t have the right to control everything that they do on those devices. It’s easier to lock down company-owned computers, phones and tablets and enforce your security policies. While you’re getting everyone outfitted with company-owned equipment, provide at least a minimum level of security on the personal devices that employees are using for work purposes.
6. Schedule an Annual Security Strategy Review
Cybersecurity is a process, not a project, and processes need to evolve as your organization and the cyber threat landscape evolves. Review your whole environment at least annually to make sure that you have the right tools in place and that you have the appropriate licensing. In addition to reviewing your software tools, evaluate vendors for their suitability with your security tech stack.
7. Develop an Incident Response Plan
The last thing you want to happen when there’s a cyber incident is for your people to cry out, “What do we do now?” Create a response plan that addresses some likely scenarios, like a ransomware attack, that your organization might experience. Your plan should not only include immediate action steps but should also detail how your cyber insurance carrier can step in to help you with communicating to employees, customers, and stakeholders. Teach people how to play their part in the plan, then practice it to make it stick.
What to Do Next After a "Stop Keep Start" Security Evaluation
A "Stop Keep Start" evaluation of your cybersecurity practices can be very enlightening. Document your findings for each section and you’ll get some next steps that you can do to improve security. Chances are good that many questions will arise during this process, and you need some outside expertise to help you create a cybersecurity strategy that covers all the bases.
Up Your Security Game with Managed Security from XPERTECHS
Here at XPERTECHS, we work with clients to create cybersecurity strategies that enable them to effectively manage cyber risk. If you’re not confident that your organization can handle the cyber threats that are continuously evolving and increasing, you need a partner like XPERTECHS by your side.