9 Steps to an Effective Cyber Security Plan

There is not a day that goes by that you do not read in the paper or hear on television that some company has been the victim of Cyber Crime. The alarming thing is that for every incident that you hear about there are probably six more that have happened that you don’t hear about. There are many reasons why people don’t report about breaches. Probably the biggest of which is the damage to their reputation and the cost of properly handling the situation. Ponemon Institute recently reported that each record lost cost the company $201.

Here are 9 Steps to an Effective Cyber Security Plan.

1. End User Education and Awareness. IBM did a recent study that showed that 95% of all data breaches were caused by human error. A company must produce user security policies covering acceptable and secure use of the organization systems. It must also establish a staff training program and maintain user awareness of cyber risk.

2. Develop a Home and Mobile Work Policy. In today’s work from anywhere environment more and more people are communicating and working from home, coffee shops, hotel rooms and anywhere else they have an Internet connection. The company must develop a mobile work policy and train staff to adhere to this policy. The policy must include a baseline for what access a mobile user has to protected data. It must also have security measures and encryption put on devices that have access to protected and sensitive data.

3. Systems Security Patching and Inventory of Assets. Knowing what type of devices are being used is critical in the overall Cyber Security planning. The company must also know what types of software are on all of these devices as well as provide Security Patching for all of this software. Some companies are aware and do the Microsoft portion of this but often fail in the other applications such as Chrome, Java, Flash, Adobe and many other applications that are common on almost every system.

4. Removable Media and Cloud Data Controls. Tens of thousands of records could be copied onto a USB Drive or uploaded into an employee’s personal Dropbox in a matter of minutes. Companies must have a means by which they can secure their sensitive data from being copied onto USB removable media and onto the many Cloud Sync services that are available.

5. Manage and Monitor User Privileges. Establishing the account management processes and limiting the number of privileged accounts is vital in securing the network. Also setting up alerting for when new user accounts are created or permission levels have been changed is essential.

6. Incident Management. Knowing who to contact in the event of a data breach is essential to a timely Data Loss Prevention Policy. Every company must establish an incident response and disaster recovery plan and keep it updated. This plan must be tested quarterly to ensure its viability in the event that it is needed. There also should be special attention given to the changing laws that may or may not affect the policy.

7. Network Monitoring. You can’t manage what you can’t see. The combination between the number of systems in an environment, the incredible fast pace of today’s business world and the multitude of hats that the average business owner wears, makes it impossible to stay on top of changes that are happening in the network. A good Cyber Security monitoring plan would ensure that all of the security patches are being applied to all software, the notification of new software being installed on existing software or being  uninstalled, that the desktop Malware Protection is functioning properly and is up-to-date, as well as monitoring a successful backup and disaster recovery program.

8. Layered Security Plan. Often I meet with clients and their only line of defense is their Desktop Antivirus. In today’s environment that would be like an intruder having breached the gate on the drive, the guard dogs missed them, they then knocked in the front door and are now ramming the bedroom door. And effective policy must have multiple layers such as, Spam Email Filtering, Next Generation Firewall, DNS Security and finally an approved Desktop Security Suite with Antivirus and Malware protection.

9. Yearly Breach Audit by a Professional. Security is one of the fastest changing parts of technology today. In a recent article from Trend Micro they stated that 2016 is going to be the year of extortion. A company must be vigilant in their defense and part of that vigilance is having a professional security expert do a yearly Cyber Security Audit. This will keep Data Loss and Breach in the forefront as well as mitigate liability for the company.

Developing, defining and communicating your Information Risk Management Regime is central to your organization’s overall cyber security strategy. Today’s business environment requires every business to be vigilant in protecting not only their own data but also the data of their clients.

Phillip D. Long

Business Information Solutions, Inc.

For more information email at or call at 251-923-4027.