After every shock or atrocity, there is a time of recoil.
A moment of - What was that?
This pause happens whether it's an event of world significance, a purely personal one, or a cybersecurity incident.
What happens next is crucial. Recoiling is OK, as long as the next step is to refocus, review, and restart forward progress.
In cybersecurity, business-level reviews don't have to be complex - there are only four questions:
- Do you know what you're protecting?
- Do you know your boundary of accountability?
- Do you know who has access?
- Do you have a backup plan?
It may be easy to breeze through these questions with a flat - Yes! Of course. But there are some depths to consider.
Do you know what you're protecting?
It covers data - safeguarding or personally identifiable information (PII), trade secrets, and commercially sensitive records.
The hardware and software assets your business owns...
If you have an automatically generated list - then this part is easy.
Do you know your boundary of accountability?
When your people and equipment were in one place, this was easy. But as every company now uses SaaS products and service providers, the question is - Where did we put our data?
The first step is gathering a list of your service providers and SaaS products.
But then also - How does the data flow through the system?
Did someone send a copy of all personal data to an insecure email account - "just in case"?
Do you know who has access?
In the ideal form, people have either everyday working access or privileged accounts that can grant access when required.
In reality, new people join a thriving company or leave for a new adventure... so integrated people processes for joiners, leavers, and changers are essential.
But what about the unintended access?
Weak passwords can be guessed. Staff can be tricked into giving access to hackers via social engineering and malware.
Weak technical configurations and design flaws can grant access, like an unlocked front door.
Did you lock your front door earlier? Does it have a 5-lever lock?
Do you have a backup plan?
In an ideal world, you wouldn't need to think about this - but then reality strikes.
Does your team understand how to investigate and respond to a security incident? Do they have the tools?
They'll need an audit log - to understand the scope and scale of the situation. And a "known good" backup to recover data and reinstate processes.
And don't forget - technology fails. Servers, laptops, phones - just break.
But the worst culprit is spinning hard drives. They last 3-5 years, after which the mechanical bearings fail. And without functional bearings, the data will not be read from the hard drive.
Periodic reviews are always helpful in taking the temperature of a cybersecurity programme. And defects in each area can be fixed via short-term, one-off projects.
However, embedding each task into a repeatable, business-as-usual process - that happens as a background task is the secret to effective and sustainable cybersecurity.