In a world where we’re all connected, we reap the benefits of high-speed communication, nearly 24/7 resource access, and the ability to serve customers far and wide. We also accept the drawbacks, which include the ability of cybercriminals to reach us from anywhere in the world.
Acceptance does not mean resignation, though. There are ways to methodically reduce your attack surface and build a fortress that makes your business an unappealing target. Lucky for you, we’re not in the 1990s when the internet was new and people were navigating things on the fly. Let’s learn from the ones before us (courtesy of the UK’s National Cyber Security Centre and the US’s Cybersecurity and Infrastructure Security Agency) and figure out how to build that fortress.
1: Know what’s important
Every company must first understand what they stand for and what they need to protect. You will share commonalities with other companies based on the type of business you’re in. In the financial sector, for example, when money is essentially encoding bits on a machine, you bet there’s a fortress of fortresses. Likewise, in the healthcare sector, when treatment plans depend on carefully diagnosed data, any manipulation of patient databases should never occur. On an enterprise level, the effects can compound: devastatingly, a 2021 ransomware attack shut down a hospital in rural Illinois, US.
Knowing the details is important: where is your critical data residing? Is it on-premise or on the cloud? What form is it in? Consider all data that is legally regulated as well. If you’re serving customers who live in the European Union (EU), you are subject to the laws of the General Data Protection Regulation (GPDR). Technology will help you automate this task; data loss prevention solutions can examine content and identify data such as credit card numbers and personally identifiable information (PII).
2: Find your gaps and close them
Resources are limited so being strategic about the solutions will you serve you best. The way to start is by starting from the data you want to protect and mapping the paths to access them. This will include areas like authentication (which can give you the biggest bang for the buck if you don’t have multi-factor authentication (MFA) yet) and encryption. You can deploy network and endpoint detection and response solutions to monitor and detect traffic.
Cloud networks make security a little harder. By outsourcing services to another vendor, you naturally lose control and visibility. Your employees may forget to implement MFA or host sensitive data on an unsanctioned SaaS application. To minimize this gap, consider the services of cloud access service brokers (CASB), who can enforce security policies and monitor sensitive data between employees and the cloud.
3: Keep the lights on
One day, you may very well be hit with a cyber attack that cripples you for a bit. Not to worry, though, if you have a backup and recovery plan in place. What do you need to keep running as a business, and how can you sustain while you put out the fires?
A couple solutions exist here, and you might implement one or all depending on your resources and the criticality of having data up and running. Systems can be architected to disperse data across multiple geographic servers, which cloud providers often do. Backups are always good to have, and having offline versions (updated regularly) can be most effective as a stop-gap between an attacker who’s able to move between machines. Testing your plan will help simulate real-world environments as well, as any machines left standing must be able to carry the load of the ones that have been compromised in such an incident.
4: Execute your plan and re-assess
Assuming you’ve got a game plan and the resources to execute, it’s time to put theory into practice. Starting with one step at a time and fully integrating it will ensure that your solutions work without accidentally taking your system offline to flesh out the details. Keep in mind that resources aren’t just financial; make sure you have the right talent to not only deploy but also sustain your technology solutions. This talent may not (and probably won’t) come easy; consider hiring the services of cybersecurity specialists who can manage these operations for you, such as a Managed Security Service Provider (MSSP).
As the situation changes—as cybercriminals modify their techniques, your business grows, and everyone ups their defenses—keep track of your cybersecurity posture to ensure it can scale while still being robust and secure against attackers. Reference your cybersecurity framework to cover your bases, from identifying key assets to keeping systems resilient. Can you always be better? Sure. But you’ll know you’ve done your due diligence and you have a path forward to keep your customers and company happy while your business continues to grow.