Richard Chambers is the CEO of Richard F. Chambers & Associates and also serves as Senior Internal Audit Advisor at AuditBoard.
getty
As one cybersecurity incident after another has come to light in recent months — SolarWinds, Scripps Health, JBS and more — it’s become increasingly clear how vulnerable our infrastructure and businesses are to attack. It is vital that officials in every enterprise step up to protect sensitive data from hackers. New government cybersecurity initiatives are an important step, but it’s ultimately up to the individual organizations to get ahead of the evident risk by proactively bringing their own security measures into the 21st century.
The new Joint Cyber Defense Collaborative, aimed at improving the U.S.’s cybersecurity by improving communication and coordination between the public and private sectors, is a strong indication that our government recognizes that federal action alone is not enough. Private companies must also play a key role in defending against ransomware and cyberattacks.
Whether or not they are a part of the new government collaborative, the private sector will clearly need to implement updated controls going forward. Stronger cybersecurity regulations are undoubtedly coming and, as attacks continue to occur, organizations must adopt a proactive approach to anticipate and identify potential areas of vulnerability — lest they become “sitting ducks” for today’s sophisticated and aggressive hackers.
Here are three steps all organizations can take immediately to prevent their company from being the next breach to sweep the headlines.
1. Conduct A Risk Assessment To Identify Vulnerabilities
The first and most vital step for every company is to conduct an internal risk assessment to understand their vulnerabilities — where their assets, data, technology and people are open to attack. This is the foundation of any strong security program because it provides a 360-degree view of the organization and identifies where controls are needed to protect information assets.
However, the risk assessment should not be a “one and done” activity in today’s evolving risk landscape. Organizations will increasingly need to put in place systems to achieve continuous risk monitoring and get real-time visibility into new and emerging risks.
2. Implement A “Zero Trust” Security Model
Companies across the board should aim for a Zero Trust security model, which is based on the understanding that a threat already exists both inside and outside traditional network boundaries and eliminates implicit trust on any one element. Traditional and increasingly outdated security models run on the assumption that everything within an organization’s network can be trusted. Yet, in the event of a breach when a user’s identity has been compromised, trust is a vulnerability. Instead, the Zero Trust model eliminates trust from the system altogether, helping to prevent data breaches and limit internal lateral movement.
3. Create A Security-Centric Company Culture
Security is only as strong as its weakest link, and it’s essential that security is ingrained into the fabric of a company’s culture at every level of the business. Organizations must educate employees and stakeholders about the importance of risk management and equip them with the tools and resources to participate in protecting the company from cyber incidents.
The more that security becomes embedded into the mindsets and everyday practices at an organization, the greater the barrier between the business’ networks and data and the malicious agents looking for opportunities to breach the system.
If there’s one thing of which we can be certain, it’s that more and larger attacks are imminent. And while putting in place modern cybersecurity measures cannot be done overnight, implementing these steps properly can prevent organizations from being easy targets and minimize the harm that can occur in the event that a breach does occur.
The new Joint Cyber Defense Collaborative is an important starting point for improving cybersecurity in our nation and our businesses, but ultimately it’s up to each organization to defend itself — and that defense starts with proactively identifying and continuously managing risk.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.