The 9 Key Elements of Cybersecurity

Defending Your Digital Kingdom.

Cybersecurity image licensed via yelosmiley-Adobe Stock

Many people think of cybersecurity as a monolithic “Yes/No” thing that you either have or you don’t.

Cybersecurity actually encompasses many different elements. We can categorize these different pieces of IT infrastructure security into 9 key areas:

1. Cybersecurity Governance, Policies, and Procedures
2. User Identity and Access Management
3. Network Device Security
4. Endpoint Device Security
5. Data Protection
6. Third-Party Protection
7. Business Continuity and Disaster Recovery Plan
8. Regulatory Compliance
9. Continuous Improvement

If you read that list and have no idea where to begin, the best place to start is with a Cybersecurity Audit.

A high-quality readiness audit will assess your company’s current cybersecurity posture by examining infrastructure, policies, procedural guidelines, and actual behaviors of team-members. A cybersecurity audit will identify potential vulnerabilities and offer improvements to your network.

Cybersecurity Audits are essential because many companies today are required to obtain cybersecurity insurance, and a positive cybersecurity assessment could significantly reduce your insurance rates.

Depending on the size of your organization, cyber-insurance could cost tens to hundreds of thousands of dollars each year. And with the recent increase in cyber-crime, insurance premiums are going up. Evaluating, documenting, and continuously improving upon your cybersecurity is an investment that will yield massive dividends.

The worst time to look into cybersecurity is after something bad happens.

A preemptive audit will identify any potential weaknesses in the essential areas of your IT infrastructure. It will provide insight into how you can improve the 9 key elements of cybersecurity:

1. Governance, Policies, and Procedures

Do your cybersecurity policies cover all relevant areas of your network? Do you have standards for access control, data protection, network security, physical security, personnel security, and incident response?

How do you manage access to software applications when new users join or leave the team? What are your industry’s data retention requirements for personnel?

How effective are your current policies at mitigating cybersecurity threats? Does leadership lead by example? What resources are dedicated to enforcing cybersecurity?

Good IT governance ensures your technology aligns with organizational goals and regulatory requirements. Formal policies and procedures allow organizations to set clear standards. And standardization of processes allows an organization to confidently conduct business without worrying about cybersecurity risks.

2. User Identity and Access Management

Identity and Access Management (IAM) is an essential part of IT cybersecurity that ensures every person has access to the right resources for the right reasons.

A key part of IAM is managing the onboarding/offboarding processes of team-members. Access to sensitive systems and organizational applications must be robustly managed. An IT MSP can help with User Account Provisioning and De-Provisioning as needed, including compliance with your Federal, State, and Local regulations for data retention.

And Role-Based Access Control (link separate RBAC article) automatically assigns access to certain roles within the organization, which streamlines the process of IAM for positions with rapid growth or regular turnover.

Multifactor Authentication (MFA) is an element of IAM that adds security by requiring users to pair a second device with their accounts to ensure login requests are coming from the actual user.

3. Network Device Security

Physical and virtual parts of your network infrastructure should be considered, including firewalls, switches, access points, servers, virtual machines, remote access and VPN security, and encryption standards.

There are many 24x7 monitoring tools that provide a variety of automated security functions. It is important to have suspicious traffic monitoring and mitigation processes in place. And frequent updates of network equipment will ensure your infrastructure always receives the latest security patches.

Often, bugs or vulnerabilities in software are discovered and patched. But unless users implement the update, they remain at risk of falling victim to a cyber attack.

4. End-Point Device Security

Antivirus and malware protection for your users’ workstations, patch management, and mobile device management.

Do you currently have antivirus software in place? On all endpoint devices?

Are patches applied in a timely manner? Are critical patches prioritized?

For some organizations, Mobile Device Management (MDM) is an additional consideration. There are many tools to securely manage mobile devices (including Microsoft Intune), and depending on complexity it may be helpful to partner with an IT MSP to deploy and manage an MDM solution.

5. Data Protection

Data classification and ownership, encryption and key management, data backup and restoration procedures, and data leakage prevention.

Do you have an adequate data classification scheme in place? Are data owners clearly identified?

How is data encrypted at rest and in transit? How are encryption keys managed?

How often are you taking backups? Where are backups stored? And how often are you testing restores?

It is also important to implement security measures that prevent data leakage and clear policies that manage data sharing and remote work.

6. Third-Party Protection

Third-party protection includes vendor risk management, cloud security, and third-party application security.

Your network security isn’t just about you. Unfortunately, we have to consider the entire supply chain you’re working within. Your vendors, distributors, partners — how securely are you sharing information with your network?

Third-party security also refers to applications. Recently, a vulnerability in the popular MOVEit file-transfer software resulted in the largest known data breach of 2023. There is often not much that you can do about data once it’s been leaked — but robust third-party application security can minimize the amount of sensitive data that is compromised. And a securely architected network can separate important systems from other operational systems to further protect any sensitive data from being leaked or any critical systems being hacked.

7. Business Continuity and Disaster Recovery Plan

The previous steps have been about preventing bad things from happening. But sometimes bad things do happen — like ransomware attacks, which are when users get completely locked out of their systems (could be a software application or their entire computer) and hackers demand a ransom payment (usually millions of dollars) to unlock the systems again.

The only way to recover from a ransomware attack is to be ready for one.

Once your system is locked, your data is gone. There’s no bypassing the blue-screen. That data — all your saved files, passwords, potentially payment information — is now on the hacker’s servers. Data protection can ensure some of that data remains unreadable to the hacker. But you need a solid incident response plan and recent backups to seamlessly restore and continue business as usual.

These preparedness plans go by many names: incident response plan, business continuity and disaster recovery (BC/DR) plan, backup restore and disaster recovery (BRDR) plan.

They’re essentially all the same: backup server configurations, firewall configurations, wireless controller configurations, and all of your data to a cloud replication tool and/or physical backup device. Set your Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs).

This way you can wipe any machine that’s affected/infected by ransomware, restore from your backup, and continue on as normal.

It’s important to conduct a thorough sweep of your network in the event of a ransomware attack to identify any potential lingering malware.

Hackers will often plant “surveillance malware” on devices and leave those online. For example, they may plant surveillance malware on your firewall, and then take down your domain server. So even after you recover from the attack and think you are safe, they are able to see any changes you make to the firewall configuration and easily break in again.

For example, this healthcare giant got hit twice by the same hacker group, about a month apart. It’s important to remember cybersecurity is an ongoing process and requires continuous vigilance.

8. Regulatory Compliance

It’s important to understand all the Federal, State, Local, and International regulations that apply to your organization. Then make sure your IT governance policies capture all of those requirements, and your organization actually adheres to the policies.

Common examples of data regulations include HIPAA (Health Insurance Portability and Accountability Act), CCPA (California Consumer Privacy Act), EU GDPR (General Data Protection Regulation), and the US CFR (U.S. Code of Federal Regulations).

A healthcare company called Doctors’ Management Services was hacked, data leaked for over 200,000 people, and they were required to report the cyberattack to the U.S. Department Health and Human Services (HHS) Office of Civil Rights (OCR). The HHS OCR found that Doctors’ Management Services was negligent in their adherence to HIPAA regulations, and ordered the company to pay a $100,000 fine for violating regulatory requirements. In the aftermath of a cyberattack, the last thing you want to worry about is a fine for your (lack of) regulatory compliance.

9. Continuous Improvement

Cybersecurity isn’t a one-time action item to check off your list and never think about again. It’s is an ongoing process that requires continuous maintenance, reassessment, and improvement to protect your company’s sensitive data.

Take the time to analyze your infrastructure, think like a hacker, and continuously evolve your cybersecurity to keep up with evolving cyber-threats.

Conclusion

Most Cybersecurity Audits will conclude with a Cybersecurity Roadmap of suggestions and potential improvements to your IT infrastructure. At a minimum, it is best practice to refresh your network to align with the cybersecurity audit recommendations. Ideally, companies implement a continuous improvement mindset to implement the latest cybersecurity protections as they become available.

Photo by Tech Daily on Unsplash