5 steps to a better cybersecurity program

Are you responsible for cybersecurity for your company and not sure where to begin to ensure your program is up to the test of a cyberattack? Or, perhaps you are not directly responsible for cybersecurity, but as a manager you want to understand the risks? Cybersecurity can be complex and confusing, but there are some basic steps that can help you develop a more robust cybersecurity program.

Recommended actions for your program may include:

1. Take a complete and accurate inventory of your IT assets.

Security of any type is concerned with protecting assets. In the case of cybersecurity, those are information assets. But how can you begin to protect those assets if you don’t know exactly what and where those assets are?

Having a complete inventory of your information assets is a great starting point for any cybersecurity program. Get a complete and accurate network diagram. Maintain a ledger of all devices connected to that network including applications, operating systems and version numbers for each device.

2. Have a vulnerability management and patching program tied to your inventory of assets.

Knowing where each network device resides is only half the battle. It is even more important to always know the vulnerability status of each device, so run automated vulnerability scans of the entire network at least monthly, preferably more frequently. Review the vulnerability reports and apply the recommended patches as quickly as possible.

Vulnerabilities are what hackers are seeking in your network because, when left unpatched, they can be exploited in such a way that the hacker can take control of that device, establish a network presence, and eventually find their way to other valuable assets on the network.

3. Conduct an awareness and training program for all users.

The users of a network – the employees, vendors, contractors and customers – can be your greatest vulnerability in terms of cybersecurity. And again, as vulnerabilities, they may be targeted by hackers via phishing or social engineering scams in order to get them to do something – reveal private information, transfer unauthorized funds or expose a password – that eventually compromises network security.

Educate your users. Publish an “Acceptable Use Policy.” Train users on safe email and browsing practices and how to recognize social engineering scams. Teach them how to create a complex, easily remembered password. Investing in user awareness will not cost much compared with other components of your cybersecurity program, but the return on investment can be substantial.

4. Continuously monitor information assets.

Continuous security monitoring is recommended for your network. Most, if not all, devices on your network are capable of generating continuous log data reporting activity on the device at any point in time. By aggregating, correlating and inquiring on this data, indicators of compromise may prompt an alert to the network administrator or security official, resulting in quick threat eradication.

Managing one’s own Security Operations Center (SOC) or contracting to a Managed Security Services Provider (MSSP) can be costly and technically complex, incorporating state-of-the-art data science, data enhancement and current threat intelligence. As an alternative, Zurich now offers all cyber policyholders, through a third party, an option for continuous security monitoring* for up to fifty devices as part of their policy.

5. Plan for incident response.

Assume something will go wrong, no matter how good your cybersecurity program is. Your overall plan should define who takes the lead, who is on retainer for outside assistance (legal, forensic, law enforcement), and internal and external communication in responding to a cyber incident. Have a “playbook” for different scenarios: data breach, IoT intrusion, ransomware, etc. Once you have the plan and the playbooks, practice them, test them and fine-tune them.

Starting with the basics and building upon them goes a long way in helping to protect your company in case of a cyber event.

*ZenOpz is not a subsidiary or affiliate of Zurich and use of their products and services is independent from any Zurich products or services. Zurich expressly disclaims any and all damages and other costs that may arise related to the use of or reliance upon the products, services, representations or warranties made by or on behalf of ZenOpz.

Legal Disclaimer: The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Your policy is the contract that specifically and fully describes your coverage, terms and conditions.