Eight elements to include in your cybersecurity program
1. Evaluate Current Cyber Hygiene Practices
2. Cyber Resilience—Develop a strategy to build an environment to ensure your most valued data, operations, and business mission are the focus of the program. Consider network segmentation and restricting both internet exposure and thirdparty access. Create a baseline of your environment and consider tools that will help you monitor for anomalies.
3. IT Strategy—Develop and assess courses of action and strategies that define the future, enable transformation and modernization, increase performance, and improve services for your customers.
4. Supply Chain Risk Management (SCRM)—Engage your organization to develop an SCRM program to illuminate and identify risks to products, tools, and vendors.
5. Enterprise Risk Management (ERM)—Apply a risk-based approach to managing the security of your environment. Risks associated with data breaches should be evaluated against enterprise objectives and should consider enterprise strategies and risks. Include your Chief Risk Officer and engage support to help you prioritize your resources toward your most critical business risks.
6. Cybersecurity — Develop a comprehensive cybersecurity program to address gaps identified during the evaluation of your current practices. Ensure best practices are implemented and a sufficient governance structure is put in place. This should include an ongoing security awareness and training program focused on creating a cyber-conscious culture. The cybersecurity program should also address vulnerability management, patch management, identity and access management, least privilege, configuration management, data encryption, and email filtering.
7. Regulatory Compliance Review—Work with your legal department to ensure your reporting obligations are identified and up to date. Also consider international regulations If your organization conducts business internationally.
8. Incident Response Training—Invest in security incident response training and planning to ensure you can rapidly respond to and recover from a cyber incident, to include such things as a supply chain exploitation.
The Chief Information Officer and Chief Information Security Officer can no longer have sole responsibility for data protection. A robust governance model must be implemented and include participation from a broad range of stakeholders, including the Chief Financial Officer, Chief Risk Officer, Office of General Counsel, Human Resources, Corporate Communications, and Mergers and Acquisitions. A comprehensive risk managementbased cybersecurity program combined with a robust governance model are required to adequately protect your organization against cyberattacks and the risk of value and reputational erosion that comes with this threat.
1. Fox Business, “Microsoft says Chinese hackers targeted groups via server software,” March 2, 2021, https://www.foxbusiness.com/technology/microsoft-says-chinese-hackers-targeted-groups-via-server-software.
2. BBC News, “North Korea accused of hacking Pfizer for Covid-19 vaccine data,” February 16, 2021, https://www.bbc.com/news/technology-56084575.
3. Tara Seals, “Nation-State Attackers Actively Target COVID-19 Vaccine-Makers,” Threat Post, November 13, 2020, https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/.
4. AP and Los Angeles Times, “Britain, U.S., Canada accuse Russia of hacking coronavirus vaccine trials,” July 16, 2020, https://www.latimes.com/world-nation/story/2020-07-16/uk-us-canada-accuse-russia-of-hacking-virus-vaccinetrials.
5. Angus Liu, “AstraZeneca staffers targeted in suspected hacking scheme amid work on COVID-19 vaccine: report,” Fierce Pharma, November 30, 2020, https://www.fiercepharma.com/pharma/astrazeneca-staffers-targetedsuspected-hacking-amid-work-covid-vaccine-report.
6. Laura Hautala, “SolarWinds not the only company used to hack targets, tech execs say at hearing,” CNET, February 24, 2021, https://www.cnet.com/news/solarwinds-not-the-onlycompany-used-to-hack-targets-tech-execs-say-at-hearing/.