By Rick Ball, VPC Cyber/Continuity of Operations Branch Director
The old adage that “you don’t know what you don’t know” certainly applies to Cyber security and can be costly. What are the first steps to developing a Cyber-attack protection program?.
Every business, regardless of size, should conduct a Cyber risk assessment. An example of how Cyber risk is measured is as follows: Cyber risk = threat x vulnerability x information value. There are numerous excellent standards-based plans available from the web, or you could hire a consulting firm to do one for you, which is what I advise to avoid any impartiality. A good standards-based assessment can be a time-consuming and complex endeavor.
However, the information gleaned from the assessment will allow you to best prepare your business.
The next step in the process is to develop your Cyber threat policies and procedures. This should be done in conjunction with some of your existing data and physical security policies/procedures, and should also include risk management.
Once the Cyber policies/procedures have been established, then the next step would be to establish a Cyber Security Incident Response Team (CSIRT), whether it be internal or external with a virtual Chief Information Security Officer (vCISO) or MSSP.
Final aspect you should consider is to obtain a Cyber insurance policy from a reputable firm, preferably from one that specializes in Cyber insurance and has done so for several years. Whatever you do, please do not assume your general liability insurance will cover you, as many have specific limitations and minimal coverage.
References for Cyber Risk Assessment:
- NIST, https://www.nist.gov/cyberframework
- C2M2, https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
- CMMC, https://www.acq.osd.mil/cmmc/
- CIS20, https://www.cisecurity.org/controls
- HITRUST CSF, https://hitrustalliance.net/product-tool/hitrust-csf/
- CoverWallet, https://www.coverwallet.com/insurance/cyber-liability-data-breach
- Hiscox, https://www.hiscox.co.uk/business-insurance/cyber-and-data-insurance
- AIG, https://www.aig.com/business/insurance/cyber
- HSB, https://www.hsbtotalcyber.com
- Liberty Mutual, https://business.libertymutual.com/commercial-solutions/professional-liability/cyber-liability/
- Chubb, https://www.chubb.com/us-en/individuals-families/products/cyber/cyber-insurance.html
- CNA – not CAN!, https://www.cna.com/web/guest/cna/products/cyber
- Trava, https://www.travasecurity.com