What is a Comprehensive Cybersecurity Strategy? PART 3 – Protect

Now that you have identified where your most critical systems and data reside, who has access to it, how you protect from loss, and whether or not you must comply with any government, industry, or insurance requirements, you can start work on the next function of the National Institute of Science and Technology (NIST) Cyber Security Framework, i.e., Protect.

The main purpose of this important function is to limit, as much as possible, the impact that an unwanted cybersecurity event can have on your business.  For this reason, it is important that you link your technology to your internal processes.  In other words, your processes, and the people implementing them must be properly connected to ensure your policies are enforced.  For instance, you want to make sure your technology group knows if and when an employee is leaving the company for them to take the necessary measures to terminate access to the network as the employee exists the company.

Key areas of this “Protect” function include:

• Identity Management, Authentication and Access Control – As discussed earlier, not everyone needs to have access to all the company data. Limit the access to your critical technology to only those employees that have a need to know.  For instance, an engineer may need information regarding the project he or she has responsibility for but this person may not need to see the entire company financial information.  Similarly, ensure that your network devices, and servers are secured in rooms which limited access from all company members and the general public.
• Awareness and Training – The first line of cybersecurity defense in any organization is the personnel that works in it. It is important for all employees and managers of the organization to undergo awareness training to adequately prepare them to identify potentially malicious attacks which come thru phishing e-mail, ransomware attacks, etc.   By the way, awareness training is not a one-time practice; employees must undergo periodic refresh training for them to be aware of the ever-changing technology landscape.
• Data Security – Protect your critical data by not only making it inaccessible to people that do not need it but by implementing strong back-up processes which will store the data in different media, different places, and at least one copy in the Cloud. Your back-up processes need to be well documented and updated as the data changes.  An important thing to keep in mind is to consistently managed the data along your organization’s risk, confidentiality, and availability of information.
• Information Protection Processes and Procedures – Regardless of size, every business organization needs to develop and implement a Technology Security Plan outlining the purpose, scope, role, responsibility, commitment, and coordination of all players within the organization. Once the technology Security Plan is established, you must implement and maintain policies and procedures across the organization.
• Protective Technology – Implement and manage automated (preferably) security tools to ensure all computers, servers, and network devices are patched, protected with antivirus and/or malware protection, data is backed-up as per predefined schedules, and notifications are provided if and when an Operating Systems has been placed in end-of-life and will not be supported any longer. Whatever system you use, it is important that it provides you the necessary reports highlighting areas where attention is required.

It is important to underline the importance of documenting all of the steps of the Protect function of the NIST Cybersecurity Framework.  As important is to refresh the documentation when changes take place which could impact the overall security of the business organization’s data and systems.