Your customers’ businesses are the primary targets of cyberattacks. Small and midsize businesses constitute 62% of all known cyberattacks.
It’s assumed that the percentage could be higher due to unknown attacks.[i] In addition to more network-connected devices, the growing threat includes more IoT devices, which are creating more security vulnerabilities.
The following 10 Point Plan provides a framework for developing a security practice for the new security landscape. This plan is based on federal and state compliance regulations, as well as contractual requirements, which can be found in HIPAA and Sarbanes-Oxley federal compliance regulations and Payment Card Industry Data Security Standard (PCI DSS) contractual compliance requirements.
Today, security compliance is no longer a question. It’s a business requirement:
- Executive commitment
Start at the top. Federal regulations and contractual agreements require executive-level sign off. The same rule applies to IT security compliance, since some federal fines alone can start at hundreds of thousands of dollars a month—per breach and over time. Start by defining your customer’s executive-level sponsors and get them to name executive-level chief compliance officers. These two roles eliminate the discussion about how your customer spends on security and simplifies organizational decision-making.
- Identify compliance requirements
Your customer should identify their company’s federal and state HIPAA and/or Sarbanes-Oxley federal compliance regulations, and if applicable, their Payment Card Industry Data Security Standard (PCI DSS) contractual compliance obligations.
- Conduct a threat analysis
Conduct an up-to-date threat analysis to identify the advanced threat actors in your industry, as well as new malware variants and threat vectors.
- Estimate potential consequences of a data loss
Identify what would happen to your customer’s organization if a data breach occurred. Estimate costs associated if their data’s lost for an hour, a day, a week. Also factor in a loss of business reputation, and attach financial data against those consequences. This is as much a business plan as it is predicting a return against future losses.
- Define the IT security vulnerabilities
Conduct network and wireless penetration and social engineering testing assessments.
- Perform a gap analysis
From your data-loss estimates and IT security vulnerabilities assessments, perform a risk calculation or a gap analysis. It tells you the difference between your customers’ obligations to protect their data and where their IT security is today and identifies needed countermeasures.
- Define an IT security vulnerability mitigation plan
This may include refining your customer’s policies and procedures; beefing up email protection; enhancing DDOS and website protection; establishing perimeter protection including closing unused ports and protocols; IPS and IDS analysis and intervention; and establishing a data loss protection program.
- Implement the plan
Then implement the plan, accounting for minimum downtime, incremental implementation and testing after each implementation to ensure there are no incompatibilities or unintended consequences.
- Perform training and testing
Now start training your customer’s IT staffs and users, including how to avoid phishing emails, and clicking unfamiliar URLs, as well as reporting anything suspicious.
- Schedule a periodic review
Finally, as a business revisits its business plan, regularly revisit the vulnerability and threat assessments and gap analysis. Review changes to data usage, emerging threats, changes in vulnerabilities and gap analysis, if needed.
Once your customers achieve compliance, they achieve approvable security.