Publications

Building a cybersecurity plan for your company

March 2019

Today’s pirates have traded gold for data, and rather than sailing the seven seas, they surf the web looking for vulnerabilities. Companies are exposed on several fronts, with no choice but to invest in protection against insidious attacks by cybercriminals. In order to invest wisely, the first step is to detect gaps and assess the cybersecurity risks that threaten your network.

Many IT security companies play on clients’ fears to sell them expensive solutions. Rather than panicking and purchasing the first firewall or antivirus software you find, what can you do instead?

  1. An inventory is your best tool

When it comes to cybersecurity, the most important thing is not to panic. Before taking action, you need a clear snapshot of your IT system. Software, servers, network components, databases, dataflow: taking an in-depth look at your ecosystem enables you to make informed decisions.

First, group your assets into broad categories. For example, information related to client data or accounting. The objective here is to sort the categories based on their level of importance. Which ones are critical and need to be protected at all costs?

Next, itemize the business processes corresponding to the categories you’ve identified. Take payroll for example, which involves tasks like entering timesheets, processing pay, depositing cheques, generating reports, etc. Each of these actions is linked to a database, which is itself stored on a server.

With this information, it’s easy to see how your IT infrastructure interacts with your business methods. Taking an overview of your company’s operations makes it possible to clearly identify risks and security requirements.

For each category of information assets, draw up a list of potential risks. Continuing with the example of payroll, we can explore a specific scenario. Some data is absolutely necessary to complete the payroll process (timesheets, salary information, etc.). The primary risk is that, at the end of the pay period, either the data will be inaccessible or the computers used to carry out the process will be out of service.

Based on your inventory of the steps in the process and the assets involved, you can now easily implement measures that address this problem—acquiring backup servers or saving copies of data, for instance.

The chosen solution should account for three elements:

  • Severity of the risks
  • Upper management’s expectations
  • The company’s vulnerability to attacks

To guide you through the needs assessment process, we suggest you first try answering the following questions.

  • What are your concerns about your current IT system?
  • What type of data do you work with (financial, personal, etc.)?
  • What is the major risk most likely to interfere with the services you deliver?
  • Is it a risk of breach, fraud, loss of reputation?
  • What is the main challenge when it comes to protecting your clients’ data?
  1. Updating security patches

Now that you have a clear vision of your IT infrastructure, take some time to check if any security patches have been released for your systems. Hackers will often attack by exploiting system weaknesses, no matter how minor.

The 2017 WannaCry fiasco is a perfect example. Cybercriminals targeted a known vulnerability in the Windows operating system and hijacked the data of organizations who either hadn’t updated their OS or were using a version that was no longer supported. A number of major players were hit. Renault was even forced to shut down production at several factories, and the worldwide economic damages resulting from the attack were estimated in the hundreds of billions of dollars!

By scanning your servers and installing security updates, you can patch holes that put your systems at risk. Register for updates from supplier websites to ensure you hear about vulnerabilities right away. Pay attention, because even minor changes can impact the stability of your IT environment.

  1. Managing change

Your vulnerability correction strategy needs to be supported by a change management process, which means coordinating and aligning modifications to your IT systems so they do not interfere with other elements. This enables you to prevent service interruptions resulting from updates.

Change management also lets you advise users of upcoming systems maintenance so they can work around it. Finally, you can track and keep a record of updates, making it easier to pinpoint the source of issues when they arise.

  1. Penetration testing

Once you’ve laid the groundwork for your protection plan, think about carrying out penetration tests (or “pen tests”). By simulating an attack on your system, these tests identify flaws to be addressed. The objective is not to fix everything all at once, but to take stock of vulnerabilities so you can develop a strategy.

Prioritize the risks that expose you to the most severe consequences. Evaluate the available solutions and choose the best one based on the inventory you drew up. Once again, no need to panic! A reactive response can lead you to spend much more than you have to.

  1. Access management

The last step to be carried out internally is to take inventory of the login codes for your ecosystem. This enables you to identify unnecessary permissions and minimize risks related to the disclosure or breach of sensitive information.

Make sure that passwords for critical systems are changed on a regular basis and impose security requirements to ensure they are difficult to decrypt. A procedure must also be implemented to deactivate an employee’s login as soon as they leave the company.

All of these initiatives boil down to one crucial element: understanding your IT systems. Taking inventory of your assets and processes is the cornerstone of effective security protocol. Our advice: Before purchasing a security product, explore your ecosystem!

Not sure where to start? We’re more than happy to offer our guidance.

***

Follow us on LinkedIn

Our Facebook page