You have likely heard me talk about cybersecurity many times and, as time goes by, such conversations have increased in frequency. Putting myself in your shoes, I can see how this can be overwhelming. A few weeks ago, I challenged myself to simplify all this for you while still addressing this critical necessity. This week I’m excited to announce that I have the answer to both of our prayers!
First, let me do a quick reminder on the “why” of cybersecurity. Regardless of who you are or what you do: you are a target. You may be rightfully thinking there is nothing they can gain by hacking you. Maybe you haven’t experienced a security breach before. You are likely unaware of all the potential headaches a security incident can cause for you and your business. Being on the frontlines, my team and I see cybersecurity patients roll into our ER all the time. Let’s connect so I can evaluate your unique exposure and provide specific examples on where danger could be hiding.
Second, let’s talk about the “when” of cybersecurity. Unfortunately, we often get calls from new clients after they experience a breach, at which point they are often eager to do everything right and need it done asap. Not only does this approach require an additional step of discovering what happened, when you try to implement security in a hurry, it hurts your checkbook and productivity as well. Cybersecurity is not a checkbox, it’s a journey. Evaluating where things are now and taking steps towards the right direction will help prioritize, budget, and plan accordingly. In addition, cybersecurity legislation is coming, and insurance companies already require it on certain policies. In the past, only specific industries had to abide by security standards (ex. HIPAA and ISO 27001) but in the near future, I expect all businesses will have such requirements.
Third, let’s talk about the “how” of cybersecurity. Remember I said I have the answer to both of our prayers? The answer is following a globally recognized set of cybersecurity best practices. Here is how that helps us both:
- Having a standard provides the ability to review everything at once and create a plan of action that is considerate of all factors.
- Following a security standard ensures a comprehensive cybersecurity approach. Nothing falls through the cracks.
- Being in compliance with a security standard ensures your business is ready for any future compliancy requirement (federal or contractual with a client).
- Your business qualifies for better premiums and ability to purchase important policies such as cyber liability insurance.
- Adapting to a framework of cybersecurity standard simplifies our conversations by reducing back and forth as well as provides clarity on each step.
Upon intensive research, my team and I opted for CIS Controls as our gold standard. I asked ChatGPT to answer the question of what it is, and I like what it came up with:
What is CIS Controls?
“CIS controls refer to a set of cybersecurity best practices developed by the Center for Internet Security (CIS) to help organizations of all sizes protect their IT systems and data from cyber threats. The CIS Controls are a prioritized set of actions that provide specific and actionable ways to stop cyber-attacks and enhance overall cybersecurity posture. The controls are organized into three categories: basic, foundational, and organizational, each with a specific focus on the types of threats that can be prevented by implementing them. The CIS Controls are continuously updated by a global community of cybersecurity experts, making them a comprehensive and evolving standard for protecting against cyber threats.”
In the coming weeks, I’ll be taking CIS and adapting it to the creative teams we support. My team and I will do the heavy lifting and as always, we’ll continue to do the right things and look after you.
Stay well until then,
– Burak Sarac, Team Lead
|