To be successful, an organization must understand which assets it needs to protect from cybersecurity risk and what precautionary measures can be used to do so. To assist in this journey, the Center for Internet Security (CIS) recommends assessing 10 categories. The first five categories are described in “Factors to Consider When Establishing a Cyberdefense: Part 1.” The remaining are examined herein and can be used to further enhance enterprise cyberhygiene.
Log Management
Start by implementing a log management policy that provides a direction for identifying, collecting and managing log files. Once the policy is in place, the log management tool can be selected. Log management tools vary greatly depending on their usage, and the desired retention period of log files. Common tool naming conventions include event log manager, security information and event management (SIEM) and security information management (SIM).
Some considerations to keep in mind when selecting and implementing safeguards for log management include:
- The size of logs ingested
- The length of time the logs are stored
- The log’s retention period
- The desired type(s) of log
- Regulatory, legal or contractual obligations
- Who is granted access to view or modify the logs?
- Does the enterprise need a disaster recovery plan if the log server is compromised?
Malware Defense
Malware defense is a basic requirement of information security. There are two main tools used in malware defense: anti-malware software and a Domain Name System (DNS) service. It is important to consider that automation plays a critical role in executing all malware tools. Automation enables anti-malware software to respond more quickly to detected threats, allowing more time for the enterprise to respond and recover from a potential incident. Common tools that an enterprise may come across during procurement include antivirus software, endpoint detection and response (EDR), endpoint protection platforms (EPPs) or endpoint security services (ESS).
Considerations to keep in mind when selecting and implementing safeguards for log management include:
- What types of threats does the enterprise face?
- Does the enterprise have a process in place that instructs personnel what to do when potentially malicious activity is suspected and/or detected?
- Does the tool detect threats based on signatures, behaviors or both?
- Is anti-malware software centrally managed?
- Can anti-malware software be managed on remote devices?
Data Recovery
Data recovery is another basic, yet critical component of the modern information and cybersecurity landscape. If all controls fail, having (or not having) a backup could make or break an enterprise. It is important to enforce a data recovery policy, procedure and process that specifies data backup and recovery mechanisms. Data backup and recovery tool selection largely depends on the structure (e.g., on-premises via network segmentation, off-site, cloud), how long the backups are kept, the type of backups (full vs. incremental) and the size of the backups. Popular tools that an enterprise may come across during procurement include backup software, backup managers, data recovery products, or backup and recovery software.
Several questions to ask when implementing data recovery safeguards include:
- How often should backups be performed on each device?
- What type(s) of backups does the enterprise want to create (e.g., full, incremental)?
- Where will the backups be stored (e.g., offsite, cloud, on-premises in a different network segment)?
- How much space is needed to store the backups?
- How long will backups be kept?
- Will backups be centrally managed?
- Can backups be performed on remote devices?
- Will backups be performed automatically or manually?
Security Training
Having a policy in place is important when it comes to establishing a security training and awareness program. There are so many no-cost resources (e.g., videos, links, articles, online exercises) available online that many enterprises do not need to spend a large sum of money to educate employees about cybersecurity.
When selecting a tool or set of resources, it should be ensured that they cover areas such as:
- Social engineering
- Authentication best practices
- Data handling best practices
- How to recognize and report security incidents
- How to spot potential vulnerabilities
- Dangers of connecting an enterprise asset to an insecure network
There are many comprehensive resources, available both online and in-person, for security awareness programs. Because creating a security training program can be labor-intensive, enterprises may consider outsourcing some of the work, depending on the availability and skill sets of their personnel.
Questions to ask when implementing training safeguards include:
- How many people does the enterprise employ?
- Do third-party vendors and service providers also require training?
- Will the training be conducted on-site, virtual or both?
- Are there any positions that require additional skills training?
- Will the enterprise be using no-cost tools or a commercially supported tool that provides a wide variety of training materials and reports in one platform?
- How often will the training program be conducted?
- Who will conduct the training?
- Are there reports and dashboards available within the training tool?
Incident Response
Incident response is another key aspect of any information and cybersecurity program. It is crucial to develop an incident management policy and an incident response plan that account for all applicable legal, regulatory and statutory requirements. This should also include activities such as designating personnel to manage incident handling, creating a contact list to be referenced in the event of an incident and establishing a process for reporting incidents.
When incident response planning, the following should be considered:
- Will internal personnel or a third party be responsible for managing incidents?
- Who should be contacted in the event of an incident (e.g., legal, human resources [HR], IT, communications/public relations, law enforcement)?
- How do personnel report an incident (or suspected incident)?
- How is the above information communicated to personnel?
- How quickly must backups be usable and available?
Conclusion
It is critical to budget for the lifecycle costs of cybersecurity brought on by advances in IT, software deprecation and the need for additional training. Commercially supported tools should come with documentation, be compatible with existing platforms and software, and provide a clear idea of how long the tools will be supported. The most important action an enterprise can take is to start now. Do not wait to become a victim of a breach or incident. Make informed and prioritized decisions to get strong defenses in place before an incident occurs.
Author’s note: The information provided in this article is for general informational purposes only. The content is based on the author's research and understanding of the subject matter. The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any organization.
Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-CDPO
Is an analytical thinker, writer, certified trainer, global mentor, and advisor in the areas of information and communications technology (ICT) governance, cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is a certified data protection officer and was awarded Chief Information Security Officer (CISO) of the Year awards in 2021 and 2022, granted by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively. He was also named a 2022 Certified Trainer of the Year by the Professional Evaluation and Certification Board (PECB). He is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, cybersecurity, and data privacy. He volunteers at the global level of ISACA® in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com.