Creating a defensive cybersecurity culture

Creating a defensive cybersecurity culture

As cybersecurity threats continue to grow and become part of everyday life for individuals and businesses, it is critical that they be addressed as an operational risk. Like other operational risks, cybersecurity threats can impact your ability to operate, access information, reputation, customer trust, bottom line, and overall survival. The best defense against these threats is to create a culture of awareness and vigilance.

How to create a culture of cyber readiness

  • You/Your Business - You are the best advocate to build a strong defense within your organization. As the leader of the organization, the success of this culture shift comes from your ability to drive strategy, investment, and culture. Your understanding of basic cybersecurity terms, methods, and tools will direct action and activities that build and sustain a culture of cybersecurity. 
  • Your staff - Once you have a grasp of the basics, your organization must focus on your biggest vulnerability - the user. Your staff will often be the first line of defense against any threats or malicious activity. Investing in their education and skillset will demonstrate the importance of these security measures and ensure that the culture is maintained within the organization. 
  • Your systems - Protect critical assets and application. Understanding what and where your data is stored is one of the foundational steps necessary in growing a cyber savvy culture. Laying this foundation will provide an environment to grow and easily monitor as your business develops and acquires more data. One way of accomplishing this is to conduct a system audit, mapping all critical information and providing the appropriate security.
  • Your surroundings - Situational awareness ensures that only those who belong on your digital environment have access. Using the system analysis above, you should be able to determine who requires access to what data stored in specific locations. Like physical security, only those authorized should hold the keys to your data.
  • Your data -  Avoid losing data by protecting your information where it is stored, processed, and transmitted. Create a viable backup system that ensures critical operation will continue even during a cybersecurity incident. These contingency plans will enable you to recover systems, networks, and data when the environment is compromised.
  • Your crisis response - An incident response plan can help limit damage and provide a quick restoration recovering essential operational systems. The key steps to any incident response are to plan, prepare, and practice. 

Creating a positive cybersecurity culture will help protect your data and limit liability if/when you are faced with a cyber incident. Along with the above initiatives, the Cybersecurity and Infrastructure Security Agency (CISA) advises to take the following three initial steps:

  1. Backup data - Employ a backup solution that automatically and continuously backs up critical data and system configurations.
  2. Multi-factor authentication - Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative and remote access users.
  3. Patch and update management - Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

While all these steps are essential, the McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group can help you develop the appropriate culture within you organization creating these essential policies, procedures, and best practices. Keep an eye out this month as McDonald Hopkins continues to publish helpful tips and strategies you and your business can use to “See Yourself in Cyber.”

You can also click here to view past and upcoming events and speaking engagements featuring McDonald Hopkins data privacy and cybersecurity attorneys, including those listed below:

  • Thursday, October 20 - Cyberween Risk Management Conference, featuring Kate Jarrett
  • Tuesday, October 25 - What Treasurers Need to Know and Do for the Future of Cyber/Privacy Law, Cyber Security, and Cyber Insurance, featuring Spencer Pollock
+