Article
How To Get Started on an Effective Cybersecurity Strategy for Your Business
The 3 questions you should ask to help you build the right security plan for your business
Many cyber attacks would have been preventable with better security in place. And yet, so many businesses aren’t doing what’s needed to mitigate risk, even when the fixes are easy to implement.
Approximately 80% of cyber attacks on At-Bay insureds involve at least one of the following risk factors:
- unpatched vulnerabilities
- uncontrolled remote access
- lack of multi-factor authentication (MFA)
- ineffective data backups
- usage of on-premise email infrastructure
Each of these risk factors is solvable with some basic security solutions. But often businesses struggle with figuring out where they should start to build the right cybersecurity strategy for their organizations? Here’s a quick primer to help you kickstart your cybersecurity planning:
A comprehensive cybersecurity strategy should answer the following 3 questions:
1. What Must You Do to Satisfy Legal and Regulatory Obligations?
Your cybersecurity strategy should start with what you are obligated to do. What does the law require of you and businesses in your specific industry?
Almost all businesses must contend with a patchwork of cyber regulations at all government levels, and your business may be subject to far more regulations than you are aware of. For example, a community college may have to consider the following legal and regulatory considerations:
- If the college has digitized its education records, it has to protect them under the Family Educational Rights and Privacy Act of 1974 (FERPA).
- If the college has a health clinic or collects any health information about students and stores it on a computer, it needs to be compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- If the college is lending money to students, handling financial aid, or making payments, then technically it’s a financial services organization, which makes it subject to The Gramm-Leach-Bliley Act (GLBA) of 1999.
Compliance failures can lead to steep, unnecessary fines and losses. For instance, a Georgia ambulance company was fined $65,000 after a federal investigation found that the company wasn’t compliant with HIPAA’s cybersecurity provisions.
If you’re in a regulated industry, you need to adhere to all of the laws, and you’ll need to do that by first establishing a robust set of security controls and a sound security program before you begin to consider the following 2 steps in your strategy.
2. What Should You do to Satisfy Stakeholder Expectations?
While legal and regulatory compliance can help you establish basic security hygiene and stay compliant, new and emerging threats must be handled continuously to protect your business continuity.
As a baseline, you should do your due diligence to meet the expectations for your particular industry. Stakeholders could have different security expectations for a bank vs. a gas station, but each has its own industry standard. Threat analysis should keep pace with the defensive expectations for your industry and address the top concerns and threats impacting similar companies. But where can you get that data?
A best-in-class InsurSec provider like At-Bay, with a well-developed point of view about what’s expected in your industry, can leverage its insurance claims data and cybersecurity expertise to identify what threats are likely to affect your business. It can then help you develop an iterative cycle of threat identification and analysis to ensure that security keeps pace with stakeholder expectations for defense, and the evolving threat landscape.
Keep in mind that security control parity with industry peers should be a guidepost, but not a desired end-state. The security of other organizations in your field is likely not as strong as it should be, which is where the third and final consideration comes into play.
3. How Can Cybersecurity Enable Your Organization to Meet its Objectives?
Many businesses want to skip steps 1 and 2 and begin building their cybersecurity strategy from step 3. However, it takes a high level of organizational maturity and resources to move beyond basic legal/regulatory requirements and implement best-in-class security strategies and tools.
Once you have established basic cyber hygiene, you can begin to use cyber capabilities as an enabler for other parts of your business — for example, leveraging cybersecurity to separate yourself from the competition, as a catalyst for further internal technological improvements, or lower costs for your organization’s overall IT maintenance.
Let’s take a look at the foundational needs of a robust cybersecurity strategy:
Always Start with the Basics
Before you explore how cybersecurity can enable your organization, you have to establish basic security hygiene. The following 3 key controls can significantly boost your organization’s security immediately:
Deploy an Endpoint Protection Solution
Apply comprehensive Endpoint Detection and Response (EDR) protection throughout your technology environment. This enables the identification of malicious behavior, tactics, and software as well as any remediation needed for rapid containment of incidents.
A 2022 study conducted by the University of Cambridge on security control effectiveness found that “malware defenses” would have been effective in blocking approximately 51% of the incidents analyzed. A defense like EDR can help organizations identify security breaches as they happen, facilitating a quick response to discovered or potential threats.
Perform Regular Remediation of Vulnerabilities
Efficiently patching vulnerabilities decreases the risk of a damaging incident. The longer organizations leave vulnerabilities unpatched, the more likely they are to be attacked, and patching is an easy way to minimize an organization’s attack surface.
As an insurance provider, At-Bay knows that the presence of vulnerabilities is a reliable indicator of the state of security in general. Attackers can use botnets to automate and industrialize the process of finding and exploiting known vulnerabilities, making cyber attacks increasingly low-effort.
Patching is (usually) free, yielding the best possible ROI from investment in security controls. Again — partnering with an InsurSec provider who offers Active Risk Monitoring can help organizations keep up with the vulnerabilities that affect them and can provide support to help organizations implement patches efficiently and effectively.
Secure Your Email
Deploying a top-performing email security solution for your email and/or moving from an on-prem email provider to the cloud are both critical. The security of an organization’s email infrastructure is a significant determinant of overall risk — in fact, email incidents accounted for 50% of At-Bay’s customer claims in the second half of 2022.
According to At-Bay claims data, on-prem email solutions have a 2.5X higher rate of claims compared to the leading cloud email solution. Why are cloud email solutions so much more secure? Security in the cloud operates on a shared responsibility model, and most organizations can achieve better security by sharing responsibility with the “landlord” than they could on their own.
