A big part of establishing good cybersecurity is to perform frequent self assessments. While these self assessments vary in scope, they often revolve around the policies and controls that an organization has put into place. For example, an organization might evaluate its ability to detect an unauthorized device connecting to the network or to prevent malware from executing. These types of security assessments are undeniably important, but oftentimes they overlook the bigger security picture. This article covers the five most important cybersecurity questions that your organization should be asking.
1. If I were a hacker, what would I do?
One of the surest ways to secure your company is to think like the people that are trying to breach its defenses. This mindset moves you away from “checking boxes”--for example, ensuring that your organization has solutions for patch management, anti-malware, encryption, and so on--to thinking about security holistically. Viewing your network from the standpoint of a cybercriminal can help you identify where vulnerabilities and protection gaps exist within and among those defenses.
2. What would be the worst-case outcome for a cyber attack?
A second critically important cybersecurity question relates to the worst-case outcome of a cyber attack. When answering this question, avoid falling into the trap of giving a quick, pat response, such as “losing all of our data.” Yes, losing all of your data would be bad, but what does that really mean? For example, what if the attacker exposes all of your most sensitive information to the internet, causing the organization to incur millions of dollars in fines as a result? Thinking deeply and critically about worst-case scenarios--and how they would affect not only the business itself, but also customers and partners--will help you determine the safeguards that need to be in place.
3. Is compliance giving the organization a false sense of security?
Regulatory mandates such as HIPAA and PCI focus heavily on cyber security. These and other regulations contain long lists of things that covered entities must do to ensure security, recoverability and continuity of business. The problem with these types of regulations is that it is possible for an organization to be compliant without truly being secure. Think about it for a moment: How many stories have you heard of healthcare organizations being fined because they suffered a data breach or in some way leaked personally identifiable information? The vast majority of these organizations were compliant with the HIPAA regulations, and yet they still suffered a security breach or data leakage event. This serves to underscore the point that compliance and security are not the same thing. Ideally, regulatory compliance should be thought of as a starting point for securing IT resources. Organizations should actively look for ways to secure their IT assets beyond what is legally required.
4. What would we do if a breach occurred right now?
The idea here isn’t to focus on addressing any specific type of breach, but rather to assess the organization’s readiness in general for dealing with a breach. It’s important to have a breach response plan in place well before a breach ever happens. This plan shouldn’t be something that is written, filed away and never looked at again. Rather, it should be a living document that is updated as business, industry and global conditions change. Organizations should regularly rehearse breach response based on this living plan so staff will know what to do if (and when) a real breach happens.
5. What have we missed?
This may be the most important question of all, and it’s the one that keeps security professionals up at night. What have I missed? No matter how secure a network might be or how elaborate an organization's cyber defenses are, there is always something that could be better. Identifying what that something is and then taking corrective action is one of the most important things that an organization can do to achieve better security.
Posing these five cybersecurity questions can help organizations establish priorities, identify and fill gaps, plan for the worst and make sure the organization is ready to follow through on those plans.