Business Journal Ask the Expert Column – November 2019

Our company has decent cybersecurity protocols, but it seems like we’re always playing catch up. What do you recommend to help us be more proactive than reactive?

For many companies, cybersecurity has become a priority, but it hasn’t been fully integrated into company culture and practices. Just as most companies finalize budgets and formalize plans for the following year during Q4, the same should be done with cybersecurity. By including cybersecurity into the standard business planning model, you can do your best to stay ahead of cyberthreats. Here’s a great starter list of 5 “must do items” for you to consider when planning for the upcoming year:

1. Make Cybersecurity Funding A Priority Budget Item. Cyberattacks represent the number one threat to virtually every business in our current economy yet budgeting for cybersecurity remains as a subordinate entry in most corporate budgets and financial plans. Placing the cybersecurity budget as a line item under IT or general risk management is an outdated and dangerous practice, given the sophistication of the professional criminals and state sponsored threats now targeting businesses.

To assure your organization is properly protected, cybersecurity needs to be properly funded. Your cybersecurity plan should be Board directed and have its own budget allocation, based upon threat levels, risk tolerance, the size of your organization, and the types of data stored within your systems and networks.

By making cybersecurity a financial priority, it will also become an enterprise-wide priority. The time of just adding a few dollars for cybersecurity into another department’s budget is over because there’s simply too much at stake.

2. Review Your Internal System Inventory. A system inventory of the infrastructure your company owns, all the way down to the workstations that are in place, is critical. This allows your team to respond quickly when an incident occurs and makes sure critical systems are accounted for.

Q4 is the perfect time to clean house of old and outdated systems that are within your system inventory. You wouldn’t expect a flip phone to take 12-megapixel photos, but we still expect outdated machines to run at peak operating speeds and hold critical information for our companies. Take the opportunity to clean up these old systems and go into the new year with a fresh inventory of what is on your network.

This should also include cleaning up your inbox. Business Email Compromise continues to be the leading cause of Personally Identifiable Information (PII) and sensitive information leaking from companies. Most of the time these emails have not been touched in over a year, but we still keep them in our inbox “just in case”. Archiving old emails and removing and storing important attachments is critical.

3. Test Your Backups, And Then Test Them Again. Backups sit on corporate networks without having ever been tested. If your company has never restored from a backup, then you very likely do not have working backups. These backups could be lifesaving for your organization in the event of a breach. However, if you find out they don’t work during an incident then every penny invested in backups was for nothing.

Another very important note is if you can access your backups from the internal network then a bad actor can access them too. In the large majority of cases SpearTip responds to we find ransomed backups. If you don’t have backups that are stored off-network, in addition to your backups that are on the network, then there is a very good chance your backups won’t stand up to a basic ransomware attack and definitely will not stand up against an advanced attacker.

4. Refine Corporate Policies. Institute a zero-tolerance program for credential sharing and credential reuse, as well. Under no circumstances should multiple employees share credentials and passwords. Knowing who can access data across your enterprise is essential. Credential reuse is also an open door for criminals. If someone uses the same password and/or username in multiple places, once the information is compromised Pandora’s Box will be open and your entire operation could be at risk.

5. Conduct An Annual Cybersecurity Review. Just as employees have annual reviews, so too should your cybersecurity plan. Examine your defenses, your strategies and your cybersecurity provider. Make sure your provider is delivering value and keeping pace with threat development and technology. You should also move your cybersecurity posture from one of simply monitoring to Monitored Detection and Response. After all, it does little good to know an incident has occurred if your cybersecurity provider can’t respond and mitigate the threat quickly, effectively and permanently.

For more information on preparing your company’s 2020 cybersecurity plan, feel free to contact SpearTip or reach out to me personally. If you have a question that you’d like answered here in the Business Journal, email it to, [email protected].