This post on questions that drive your cybersecurity strategy is the second post in our new Security Lessons series. To start from the beginning, read “What we learned as a ransomware victim — so you don’t become one.”
Your Cybersecurity Strategy Foundation: The Business Impact Analysis
In my last post, we talked about the importance of a layered approach to cybersecurity. However, there’s an important step you need to take before considering the tools and tactics that make up a strong security defense in each of the individual layers.
Every organization — particularly highly sensitive ones, such as CPA firms and healthcare clinics — need to begin their security review by developing a business impact analysis. Running any business comes with risks, and each business has their own unique challenges and needs.
Before you can think about how to keep your business “safe,” remember that your cybersecurity strategy depends on understanding your business impact. Pause and ask the following critical questions so you can more pragmatically determine how to build the right level of resilience into your organization, regardless of how big or small your business is. Your answers will be influenced by your industry, the size of your business, your risk tolerance, and how you handle business risks and objectives. The more you ask uncomfortable questions when there isn’t a crisis, the more likely you’ll be to avoid business-shattering consequences.
No one wants to put themselves at risk for a cybersecurity attack. But a cybersecurity strategy that consists of the “strongest security measures available” in each layer quickly adds up to a very expensive investment that requires a dedicated security team to manage. A business impact analysis can provide you with meaningful data to determine which security areas you want to invest most in.
Risk Analysis and Tolerance Drive Cybersecurity Strategy
Your cybersecurity strategy will grow and evolve over time — this isn’t a one-time exercise. As your business, clientele, and technology changes, so will your security requirements. By sitting down periodically (we recommend at least annually) with key stakeholders, you can identify new risks and prepare a plan based on current business activities. Simply having the discussion will help you weather the storm — whether that’s a literal storm, a figurative one (such as the COVID-19 pandemic), or more commonly, malicious hackers seeking profit.
We put together these 9 questions to help you make your business more resilient, even during periods of stress.
1) What is your risk tolerance?
Step one is to take a step back and really evaluate your risk tolerance. How much can your business withstand and still come out the other side? Which aspects to your business are mission critical and which are impactful but not devastating? Are there times of the year (for example, tax season for CPA firms), where a disruption or security incident has an outsized impact? What are customers’ expectations of you, and how tolerant will they be if you can’t meet them?
On the business operations side, do you have data or systems that make up your “secret sauce” or other ways you differentiate from your competition?
By answering the above, you’ll be able to more accurately map your business priorities and objectives to information security and disaster recovery efforts. Your answers change if you’re worried about 24/7 availability of your clinic, protection of sensitive patient or client data, or filing client tax returns by the deadline. It’s easy to get caught up in the day-to-day priorities of just doing business. However, if you don’t understand your risk tolerance and how that relates to your business priorities and objectives, you can’t make a cybersecurity strategy (and plan!) that ensures you meet them.
2) Do you know what kind of data you hold and where you hold it?
Closely related to the first step is understanding exactly what kind of data you hold and where it’s being held. If you haven’t already conducted one, you’ll want to go through a data classification exercise. Part of minimizing your security risk is reducing the threat surface and centralizing what you can so that sensitive data isn’t scattered in multiple places.
For accounting firms and healthcare organizations, nearly all the data you hold is sensitive, but it might not all be stored in the same place. Your scheduling system, for instance, might just have names and contact information classified as Personally Identifiable Information (PII), but not social security numbers or Protected Health Information (PHI). Breaching that system would still be problematic, but the ramifications would be significantly different.
By clearly mapping out what data you hold, how sensitive it is, and where you hold it, you’ll be able to make decisions on a system by system basis of how much you can afford to invest to secure the data held within a particular application.
3) What steps have you taken to secure the tech stack that your business relies on?
In most industries today, operating a business requires a blend of technologies, and unfortunately, these technologies are vulnerable to different types of malicious attacks. With few exceptions, you rely on information technology systems to communicate within your organization, deliver your services, protect client identities and data, and meet deadlines. That means that you need to think about how to secure those systems to keep your business running smoothly.
There’s a minimum level of security you absolutely have to have regardless of the system, but based on the data classification exercise, you likely have systems that you want to have much tighter security controls around due to the type of data they hold.
Your decisions will drive IT investments, architecture decisions, and management of IT assets. It will also help you create a security policy (SANS provides several security policy templates), including how to access your network remotely, a password policy, and a social media policy. Your tech stack enables you to run your business, and securing it with the appropriate security solutions and policies keeps it running smoothly.
4) What steps do you need to take to plan for disaster recovery?
The past year has illustrated just how important it is to have a plan. Did your company have a plan for a pandemic? Few did, but considering basic disaster recovery plans as part of your overall cybersecurity strategy helps with a lot of the same questions. Do you need to be able to contact patients or clients if you lose access to your company network? Is there information you’ll need immediate access to, such as emergency contact lists? Can your employees work remotely? Do your employees need to be able to work remotely during an emergency?
A policy for remote working helps with natural disasters, pandemics, and personal emergencies. You’ll also want to consider the criticality of the services you provide and how much of it can be conducted remotely. An accounting firm may be able to conduct the majority of its business and client interaction remotely, whereas there are some patients at a healthcare clinic that absolutely have to be seen in person. Based on that, you may be willing to or need to invest in a secondary set of infrastructure that you can fail over to in case of a disaster…or you may decide that it’s worth risking a few hours or days of downtime to save on the high ongoing costs of a secondary site.
Disaster recovery plans describe how you and your team can get back to work quickly after an unplanned incident to help you minimize the impact on your business and decide which investments make the most sense to keep your business running when the unexpected happens.
5) How long can your business be down without catastrophic consequences?
To help you make your disaster recovery plans, you need to consider downtime. It may not seem likely if your systems are primarily hosted in the cloud, but it could still happen. For example, ransom-driven distributed denial of service attacks are on the rise, taking organizations of all sizes offline. Regardless of the reason for downtime, you need to know how long your systems can be offline before it significantly impacts your business, and plan accordingly. That may mean backup storage in the cloud or offline, and determining how long it will take to recover files from storage to resume normal operations. You’ll also need to decide which systems to prioritize and which ones aren’t essential. When you’re planning, there’s a lot to consider:
- What does it cost your business to be down for 15 minutes?
- What about being down for a day?
- What’s the cost of keeping a site recovery option, with full failover (meaning your systems go down and switch immediately to a backup — with no downtime)?
- Do you need full environmental failover, or does application failover provide enough functionality for your business?
- If you need to be able to get back online immediately, do you need to pay for that functionality year-round, or are there specific times that it’s worth paying for?
In the abstract, more security and immediate failover always sounds like a great idea, but in reality, while It’s possible to have near 100% site recovery, the costs for that are likely to be more than double what you’re currently spending. You need to really weigh the likelihood of risk and the cost of downtime against the cost of immediate recovery.
Making clear-eyed decisions about this when you’re not under extreme stress will help you make choices that work to keep your business functional long into the future. And the reality is that by NOT making a decision about this, you’re still making a decision. If you haven’t prioritized your critical systems now, then when a disaster hits, it will be too late to take action.
6) Does your cybersecurity strategy need to consider industry regulations you need to comply with?
Different industries have different regulations that impact your business operations and requirements.
For example, the risk of missing deadlines is significant for certified public accountants. Federal tax filing dates usually don’t shift just because your organization experienced an outage. In fact, an ill-timed outage might incur fees and penalties that you’d have to cover for your clients. Additional state regulations may also impact CPAs, necessitating broader awareness of compliance issues.
In healthcare, there are significant risks related to HIPAA/HITECH, MIPS, and MACRA compliance. In addition to requirements to protect patient privacy, there are financial considerations; if you can prove that you’re in compliance, you receive payments, but if you can’t prove it, that can impact your payments — and your bottom line.
For the legal industry, downtime results in clear practical risks; if you can’t access documents, you can’t meet client requirements. The biggest risk in the legal industry, however, is data exposure. Clients hold legal counsel to a high standard, and expect that any information about them remains protected, regardless of cyberattacks or data breaches. 
7) What risks can you solve with technology?
While headlines about data breaches and cyberattacks might lead you to think that technology only causes risks, it can actually solve them as well. Managed service providers can take a lot of the technology questions off your plate, but you still have some responsibilities that technology can help with. This blog series will help you understand more about how to protect your mission critical assets through policy management, monitoring and response, data security, application security, endpoint security, network security, and perimeter security.
8) Are you transferring risks to others?
If you’re outsourcing, make sure you ask your third-party providers about how they protect you and your business. Does your outsource partner have controls and plans in place that meet your business requirements? Have they invested in third-party audits like SOC 2 to validate their security measures?
Simply asking these questions will help you understand what to expect from outsourced services and what you need to handle internally. If you don’t know who’s responsible for handling a risk, chances are that no one is.
9) What risks do you solve with internal training?
Training seems like a minor issue, but it can solve big problems. Employees make innocent mistakes, and your training and policies can significantly reduce those risks. You’ll benefit by training employees in basic security principles, such as requiring strong passwords, discussing appropriate internet use, establishing rules for handling and protecting customer information, and how to avoid phishing and other social engineering attacks. Internal training can prevent a lot of confusion, and even cyberattacks, which will save you time, money, and stress.
Build a framework that makes your business more secure and resilient
Upfront planning and thoughtfulness around what is critical to you as a business owner will help you build a cybersecurity strategy and information security framework for what to do in case of emergency, regardless of what that emergency is. And you can keep it up to date by just having a regular check in to see how your answers to these questions might have changed.
Over the next several posts in this “Security Series”, we’ll cover many of the security basics you need, including a Risk Assessment Checklist that will help you understand areas for improvement.