IT professionals working at table together in office on cybersecurity

Action plan to reduce the threat of cyber risk

Solutions to move your strategy forward

Protecting an organization against cyber threats is often viewed as an overly complicated and highly technical challenge. While that is often the case and there are important technical aspects of cybersecurity defenses that organizations must have in place to have a comprehensive defense against attacks, the most impactful defenses are simply day-to-day actions and general awareness.

There are eight steps your organization can take to reduce the chances for threat actors to exploit the human errors that exist within your digital environment.

  1. Know the environment – Organizations should understand where they have protective measures in place and what vulnerabilities are associated with those measures. Running vulnerability scans regularly is a great way to understand whether a company is susceptible to potential threats.
  2. Keep backups safe – If a threat is interfering with an organization’s system and attempting to hold them for ransomware, having a secure backup prevents the threat from escalating and allows the company to recover its environment effectively.
  3. Implement a patch management program – Companies should patch their vulnerabilities and be aware of where vulnerabilities remain unpatched. Don’t allow decisions to leave something unpatched to be made in isolation. Instead, involve the entire organization as opposed to a singular department so there is perspective on how that decision will threaten the organization as a whole.
  4. Build a secure aware culture – Information comes from the top. An organization should ensure everyone, from board members to the lowest-level employees, stays well informed about existing cyber threats and takes necessary steps to safeguard themselves and the organization. This education is most effectively reinforced through a security awareness program that educates the workforce on an ongoing basis, instilling best practices like not writing credentials underneath their keyboard, how to avoid clicking on phishing links, not sharing information with people or using shared accounts.
  5. Access control and authentication – To prevent breaches, a company should have good password credentials and hygiene and use third-party or multi-factor authentication when using higher-risk or Internet-facing accounts. Protect the credentials that are most critical to the organization or that have the most ability to broadly access the IT landscape.
  6. Monitor, detect and respond – Establish a monitoring program to identify incidents and gather reports that can be shared with the appropriate authorities. This doesn’t have to be high-end if there is a monitoring capability in place so that anomalies can be identified, investigated and prevented in the future.
  7. Implement an incident response plan – Resilient organizations recognize the importance of having a disaster recovery plan for natural disasters or political disruptions, and this same principle extends to cyber response. The two cyber incidents that should be included in a response plan are ransomware and either business email compromise or fraudulent payment. It’s also important to run the scenario in a tabletop exercise. Pull all the relevant individuals together and practice who will call who to simulate the scenario and make sure everyone is prepared.
  8. Get cyber insurance – Cyber insurance has become much more particular in the past few years as far as what coverage is being provided. Shop around to get the best value for the investment and be aware of the limitations in the cyber insurance program chosen, such as a capped liability to ransomware incidents or payments.

All of these steps are practical, human-driven things that can be implemented in any organization to give the presence of a hard target and the ability to respond in a timely and appropriate manner to any incident that may occur. Cybersecurity is the entire organization’s responsibility and implementing these human behaviors can go a long way in protecting the organization from potential threats.

Joe Shusko
Procurement: Higher education internal audit back-to-basics​ video series
Next up

Procurement risks and controls