We talk with many organizations every day, and the most common issue we see in cyber security today is culture, even though we see the threats everywhere in the news, on TV, in print and all over the internet. Despite all of this media coverage, organizations are still struggling getting past one of the first questions we are consistently asked, “Why would we be a target?”.

Because it happens, it happens every day to too many organizations just like yours. It truly is not a question of “IF” it will happen, but “WHEN” it will happen.  To me, being prepared for a data breach and having an incident response plan in place, is fundamental to all organizations, regardless of the size of the operation.  “So where do I start?” is normally the second question we hear…well may thirty-second.

I always focus on the following five items:

1. Secure by design
2. Gain visibility into your assets
3. Protect your assets
4. Detect threats in your environment
5. Prepare for a data breach

1. Secure by design -- We are leveraging the NIST Cyber Security Framework (CSF) more and more every day for our customers. The CSF is a set of cybersecurity activities and outcomes that are common across internet-based ecosystems. Any organization can leverage the CSF to measure and improve their overall security posture. The CSF has five concurrent and continuous functions:

   • Identify — Establish the organization’s understanding of how to manage cybersecurity risk to their ecosystem (systems, assets, data and capabilities).

   • Protect — Establish security controls to ensure delivery of business-critical services.

   • Detect — Establish proactivity processes and technologies to identify threat events.

   • Respond — Establish proactivity processes and technologies to act when a cybersecurity event occurs.

   • Recover — Establish appropriate activities to maintain plans for resilience and to restore any services that were interrupted due to a cybersecurity event.

2. Gain visibility into your assets – Following the CSF, organizations must first establish a complete picture of assets and the services that operate in their IT ecosystem which is critical to prioritizing the efforts to respond to attacks and contain breaches.

   • What systems are critical to the ongoing function of your organization?

   • Which systems are critical to the day-to-day tasks?

   • What other systems do those critical systems rely on?

   • Which systems manage and store sensitive information?

3. Protect your assets – Organizations need to follow a defense in depth solution to protect your assets and manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will prevent a full breach.  Focus on the big five security controls:

   • Boundary protections

   • Monitoring and logging

   • Access control

   • Encryption

   • Security Governance

4. Detect threats in your environment -- Not all breaches are avoidable. Our efforts to make an impenetrable IT ecosystem will never be enough to close all attack vectors. Attackers know this and will always use this to their advantage. To ensure that the advantage they gain from this is as minimal as possible, it is important for you to detect a breach as quickly as possible. Understanding the behavior of your systems and monitoring that behavior for indications that a breach may have occurred, is essential to an efficient response.

   • If I do not detect the attack how will I know an asset is compromised?

   • If an asset is compromised how can I address it before the breach expands?

5. Prepare for a data breach – Build from a framework like ‘NIST CSF’ that will force your organization to establish controls in each of the CSF categories and assess how mature these controls are at an integrated fashion.

   • Establish an Incident Response team

   • Define an Incident Response Plan (IRP)

   • Test your IRP frequently (Table-top exercises and Red Team)

   • Retain external Incident Response Team

Finally, organizations need to ask themselves the following questions:

• What people, processes and technologies do I have that are essential to provide the right Incident Response services?

• What does the organization need to do to protect those assets from the threats discovered?

• What detection capability can the organization implement to watch for potential threats?

• What response and recovery activities are appropriate and necessary to continue operations or restore services after an event?