Welcome to Cyber Security Today. It’s Monday, January 2nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Happy New Year to all of you.
My tradition since the podcast began is to start the first episode of the year with New Year’s Resolutions for IT and security leaders. Because you should resolve to do things more efficiently, more methodically and more strategically than last year. You need a cybersecurity plan.
I’m speaking to those of you in small and medium-sized businesses with fewer financial and human resources than large organizations.
You may not know where to start. So here’s some advice: Start at the end. Assume there’s been a breach of your security controls five minutes from now. Are you prepared?
Why start there? Because the beginning steps — which I’ll get to shortly — will take time. And time is what you don’t have if there’s a cyber incident. You need an incident response team, and an incident response plan.
First, the incident response plan has to be written, with several copies stored in a safe and accessible place for the incident response team. Why not on computer? Because the computer with the plan might be hacked, or encrypted.
Second, management and the IT team have to define when the incident response team should be summoned. It doesn’t have to be every incident. Many can be handled by IT alone.
Third, executives need to decide who should be on the incident response team. Membership is your choice. Obviously some or all of the IT security team. But also include someone from internal or external legal (because they will give the team legal advice) communications (because they will have the responsibility of communicating with employees, the media and clients) and perhaps someone from HR. It may also include experts from your vendors or an outside incident response specialist. The IT leader may be responsible for IT response, while an event investigator will gather data for forensic analysis. A team leader should also be appointed, and not necessarily the CEO.
Team members need to be on-call 27/7. When they can’t be — for a family reason, they’re on training or they are on vacation — there have to be designated alternates. Everyone on the team has to have several ways of being contacted in an emergency: Phone, email or text. The contact information has to be kept up to date.
Remember, often cyber attacks start with email being compromised. So this initial message to the incident response team meeting has to be carefully worded. For example, an email and text message might say, “There’s a meeting of the emergency team at the designated physical space,” or “at the designated virtual space.”
And because email might have been compromised it’s a good idea to have an emergency email account set up that is only used for incidents. Ideally, it will be provided by a separate internet provider. At the very least it will have a different name than the organization’s public email address.
Next, the plan should identify a designated place to meet. The easiest is the company board room, but any meeting room will do. Because of COVID or other reasons the team may have to meet virtually. If so, that has to be arranged in advance and security measures like password and access control must be arranged in advance. For further messaging with the team that special email account will have to be used.
Meanwhile, the IT team has to prepare for the worst. They do that by having a “Go Bag” with at least one laptop devoted strictly to dealing with resurrecting the IT infrastructure remotely. It will include all the tools IT needs. And to cover all contingencies, the Go Bag should to have a cellphone from a different provider than the one the organization normally uses.
Optimistically, doing these first steps might take two days.
This isn’t everything for the incident response plan. Management has to set out the responsibilities of team members. The IT department should start drafting ‘what-if’ scenarios — also called playbooks — so they are prepared for likely attacks. But at least the groundwork for the response team will be set.
As for the rest of the cybersecurity plan, it begins with making an inventory of all of the hardware and software under the organization’s control, as well as where all the servers with sensitive data reside. From there a patch management priority strategy needs to be worked out. There have to be policies for IT — and possibly business units — to follow on the secure configuration of hardware and software, for user identification, authorization and data access control, for employee training and for data backup and recovery.
I’ve only touched on what you should be doing to create a cybersecurity plan. The internet is full of free resources. Just type “create a cybersecurity plan” or “create an incident response plan.”
If you’re a small or medium-sized Canadian firm look at the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls. There’s also the U.S. Cybersecurity and Infrastructure Security Agency’s Cybersecurity Action Plan for Small Businesses.
The government of Canada’s Get Cyber Safe program has this guide for SMBs.
The Privacy Commissioner of Canada has this guide for protecting personal data for businesses that come under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
The U.S. Federal Communications Commission has this tip sheet.
Finally, heads of private and public sector organizations should remember two things: Cybersecurity is risk management. IT departments don’t do that. That’s your job. Second, you have to lead. If the organization decides on a policy, you have to be seen to be following it. No exceptions.
That’s it for now. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.