In a recent webinar, Cybersecurity challenges for not-for-profits, the following topics were discussed:
- The impact of data breaches to organizations
- How cyber criminals are attacking your organization
- Developing and formalizing an incident/breach response plan
- What your organization can do to reduce cybersecurity risks
- The role of the board in cyber-risk oversight
As mitigating cyber risks is top of mind, cyber specialist Mike Cullen answered a few questions that many organizations are asking. These answers can help you raise awareness about cyber risks within your organization and start developing a plan to address the risks.
How do I know where to focus my resources and efforts when assessing my organizations cybersecurity landscape?
- Begin with a risk assessment to identify the bigger risk areas and items that may exist within your organization
- Perform walkthroughs with key information technology (IT) professionals, business users, and other leaders to understand their cybersecurity practices
- Risk rank gaps in practices to determine where to focus your time and resources to address your risks
How can I raise awareness within my organization about cybersecurity and the risks that exist?
- Begin at the top – Build a security culture that encompasses all departments and operations since cybersecurity is not an IT issue, it is an organizational issue
- Advance your knowledge – Stay up to date with cybersecurity leading practices and standards (e.g., NIST, SANS, ISACA)
- Establish governance – Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization (especially senior management) and to regulatory agencies and industry organizations
- Conduct ongoing training – Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy
What exercises can be performed to gain a feel for how my organization would handle suspicious activity or identified breaches?
- Perform social engineering exercises attempting to trick employees into giving up their usernames and passwords
- Conduct a breach response exercise and go through the steps of your plan to evaluate its effectiveness
What are some of the key components of an effective cybersecurity management program?
- Data classification – Identify high risk or regulated data and establish data handling procedures
- Security control implementation – Establish a control framework to standardize protections for your data and systems
- Regular review of security control performance – Periodically evaluate security controls to determine whether the cybersecurity controls are operating as intended
- Breach preparedness planning and testing – Develop a breach response plan and test it regularly
- Cyber insurance– Evaluate the organization’s cybersecurity program and decide whether to transfer certain risks through a cyber-insurance policy
What can I do to strengthen my organization’s cybersecurity program with limited resources?
- Hire external help to evaluate your program, identify risk areas, assist you in addressing the risks, and to provide you with independent and objective perspectives and recommendations