Cybersecurity Documentation Strengthens and Clarifies Incidence Response
Not an IT Problem — It’s a Business Problem
The potential for cyberattacks that cripple computers and networks is among the top issues that keep C-level executives up at night.
So, why is it that most businesses have no written cybersecurity documentation? Among the financial reports, operational reports, marketing plans and human resources policies that are staples in management meetings at most companies, a report on the cyber safety status of financial data and network security is missing.
A recent study of penetration testing involving financial organizations, fuel and energy organizations, government agencies, industrial businesses and other sectors showed that cyber attackers could breach network systems in 93% of attempts. Many security executives say they are unprepared for the threats that lie ahead, and the increasing use of cloud-based technology – which rose rapidly during the COVID-19 pandemic – makes organizations more vulnerable.
No doubt, the lack of IT and cybersecurity documentation and reporting is, in part, attributable to the reality that many executives and non-IT managers don’t understand technology and simply trust that the IT department would know what to do if disaster struck.
But it does not always work that way, as many companies from local retailers to global corporations have discovered. In essence, cybersecurity is no longer just an IT problem. It is a business problem.
Why Documentation is Essential
An essential first step to safeguarding your IT system is to create sound documentation and performance metrics.
Documentation enables everyone on the team to know the current cybersecurity status of your system and what’s being done to address vulnerabilities. It should include policies that affect everyone in the organization, like instructions about such safeguards as multifactor authentication and how to recognize suspicious emails. Most importantly, the documentation should spell out the steps to be taken if a cyber incursion were to occur.
A documented cybersecurity plan works hand in hand with a protocol of regular vulnerability scanning and penetration testing to identify which safeguards need to be improved and demonstrate to company leadership that the system is as secure as possible. A written cybersecurity plan also contributes to communication across departments, reinforcing that everyone in the organization has a role to play in keeping the system safe.
Key Elements of a Cybersecurity Plan
A documented cybersecurity plan should include several key elements:
- A technology road map that includes an asset inventory and hardware replacement schedules going out three years.
- A description of the security tools and practices that are in place.
- An incidence response plan detailing steps to be taken for both minor and major incursions.
- A business continuity plan spelling out recovery time and utilization of backed-up data in the event of a major incursion that shuts down the business.
- A plan for protecting backed-up data and ensuring it is safe from cyber threats.
- A technology use policy.
Timing is Everything
One of the most important features of a documented cybersecurity plan is a response timeline in the event of a cyber incursion. A rapid response can help minimize the damage and, depending on the safeguards you have in place, possibly prevent a cyber attacker from accessing any data at all.
New vulnerabilities are discovered every day, and a cybersecurity plan must include ideas about how that information will be monitored and factored into your system’s security. No organization is 100% safe, but the idea is to get as close as you can.
Your plan should include timelines. If a major new threat is discovered, what is your timeline for responding with vulnerability scans and evaluation of your hardware and software? Can you assess the internal threat within 10 days or 15 days? That may be too late, because when a new widespread vulnerability is reported, hackers and cyber attackers worldwide are actively checking for it within minutes.
Your automated patch system is a key part of your cybersecurity plan, but are you following up on it? A patch system that runs every 30 days is fine, but you also need to see if all computers accepted the patches, and then test the patches and document the results.
The Metrics of Cybersecurity
Applying new safeguards, responding to newly discovered vulnerabilities, testing patches, training employees in cyber-safe practices and documenting everything – these are the metrics of an effective cybersecurity plan. They should be reported to the CEO regularly just as the company’s financial results are reported to reinforce the message that cybersecurity is not just an IT issue anymore. It is a key business solution that plays an essential role in a company’s operations.
A shift is occurring today in the way vulnerabilities are monitored that promises to heighten any cybersecurity protocols a company may have in place.
In addition to traditional end point protection, new artificial intelligence tools are emerging that detect what is moving across a network. These tools learn to understand movements and events that are different from the norm in a given network, assessing where the movements are coming from, how fast they are moving and how they are acting.
The data generated by the AI tools then is reviewed by a Security Operations Center (SOC) team to determine if the movement is malicious or harmless. If it’s malicious, the team can isolate the movement in the system – sometimes down to a specific computer – and lock it down so the harm does not spread.
Whether a company invests in such AI tools, the configuration of its security tools should be discussed in the cybersecurity plan.
Who Has Documented Cybersecurity Plans?
To date, very few companies have documented cybersecurity plans, and those that do are mostly in regulated industries where documentation is required.
But with the significant increase in cybercrime every year, awareness is growing and there are templates available to help companies get started on their cybersecurity plans. No on has to start from scratch.
Some business insurers that offer cyber insurance require cybersecurity documentation in order to buy coverage, and businesses are starting to respond. While documentation isn’t required by all insurers currently, it’s possible it will be required in the future. Cyber insurance grew 74% in 2021 to more than $4.8 billion in sales.
Contact your Adams Brown advisor if you would like to discuss putting together a cybersecurity plan for your organization.