Many businesses are beginning to transfer employees to remote work environments and cloud-based communications. This is due not only to the current pandemic, but simply because these alternatives cut business expenses. Such changes require substantial planning for cyber security, so you need to know what to expect in terms of data and network protection.
What are the 10 controls of cyber security? The 10 controls are:
- Incident Response Plan
- Patch Management Lifecycle
- Antivirus Solutions
- Perimeter Defense
- Security of Mobile Devices
- Employee Training
- User Authentication
- Access Controls
- Security of Portable Devices
- Data Encryption and Backup
These controls can be tricky to implement, especially for new businesses. There is much to consider in terms of preventative and response planning, and every element should be considered in great detail both individually and collectively. Consult the following guide as you develop your cyber security plans for your company.
What Are Controls in Cyber Security?
Cyber security controls[1] are the defenses, or countermeasures, companies can execute for the following purposes:
- Detection of vulnerabilities and points of entry within the company network, along with scans for malware, phishing attempts, etc.
- Prevention of cyber-attacks
- Reduction of cyber security risks
- Counteract cyber-attacks
They are meant to be used by businesses and other organizations to mitigate and manage cyber threats. Because hackers continuously develop new methods for breaking into networks and stealing data, cyber security controls are constantly changing.
How to Choose the Right Cyber Security Controls for Your Business
Choosing the cyber security controls you will be using for the protection of your business is a task of extreme importance. You must consider the many different scenarios in which your system and data may be vulnerable and how your company would respond to and recover from it. Your controls will operate as both defense and recovery methods for any sensitive data.
Factors you must consider when determining the appropriate cyber security controls for your business are:
- Size of your organization. This is not exclusive to the number of employees but includes functional elements like the communication systems and size of the network, for example. These details will assist you in making well-informed decisions related to the most appropriate controls to apply to your work environment for the mitigation of present challenges and the prevention of future vulnerabilities.
- Scope of your IT infrastructure. Whether your IT assets are owned or contracted, they are a factor that must be considered as you choose cyber security controls. You’ll need to determine what part of your IT elements needs to be included in the scope of future cyber security management and controls? (Note: Your “IT infrastructure” includes applications, information systems, network devices, servers, cloud applications, etc.)
- Security levels of IT assets and information systems. As you are reviewing what IT assets will be included in the scope of your cyber security controls, you need to sort these assets by the level of security these assets either need or currently have. These security levels should be prioritized by the sensitivity of information shared across a given network or device.
- (Tip: Organize your assets using the designations “very low,” “low,” “medium,” and “high” to properly assign cyber security controls.)
- Financial planning. Understand that cyber security controls are an investment. This means you will have to do effective financial planning and forecasting to ensure that the investment is within your means. Note that certain controls will be long-term investments whereas others may be once a year.
1. Incident Response Plan
No company, no matter how protected, is immune to cyber-attacks. For that reason, you need to have a plan in place for how you will respond and end the attack if or when it happens.
New hacking techniques emerge daily, so your response plan should be dynamic and up to date. Your system can use AI technology, for example, to combat cyber-attacks in real-time with minimal effort.
Further, any measures in your incident response plan should be implemented early and updated as often as possible. Note that although it is referred to as a “response” plan, your plan should include recovery plans as well.
Once you have a response plan set in place, you need to have specific individuals dedicated to initiating the execution of the plan. One or more people should be appointed to report any attempted breaches as they occur. You can enforce this by making those individual responsibilities a part of the written cyber security policy.
The advantage is, once these types of reports are submitted (which can be done a lot faster with specific individuals assigned to the task), they will be addressed by a forensics expert.
This is especially helpful in identifying what parts of your response plan were beneficial and what can be changed for the future. This is also why your response plan should include protocols on how to communicate with individuals outside of your company.
2. Patch Management Lifecycle
This is critical to all software and firmware being used in your cyber security measures. As previously mentioned, hackers are developing new techniques and technologies every day to penetrate vulnerable networks.
Your defense technology needs to be periodically updated to provide the most effective protection to your network and data.
Many companies source their cyber security technologies from multiple vendors. To some, this may seem beneficial in terms of finances and quality, but there are significant disadvantages to this strategy:
- With all of the differing technologies, hackers have multiple points of entry into your network, making your company more vulnerable to potential attacks. This could be mitigated by sourcing your technologies from either one or only a few vendors.
- There is no guarantee that all of your vendors’ software or hardware adhere to the same standards of cyber security, so there may be vulnerabilities in some equipment that are not in others. Once a hacker makes their way into your network on the weakest component, they have access to all of your data.
What is a Patch Management Lifecycle?
Now that you know what to consider as you’re assembling the collection of software and hardware for your cyber security system, you need to know how to care for it once it’s all in place. Patch management[2] consists of three elements:
- Acquiring software updates as early as possible
- Testing newly released patches
- Implementing up-to-date patches (e.g., software updates) as a part of your cyber security strategy. These patches need to be installed on all computing hardware that has access to your network.
Most people recognize patch management as simply installing updates to software and hardware – essentially, this is exactly what it is!
- Software patches: This can include operating systems such as Microsoft and Mac, or specialized applications like banking applications, for example.
- Firmware patches: This covers network hardware like routers and switches.
The patch management lifecycle is the order of operations, per se, concerning these patches. The lifecycle should go as follows:
- A software or firmware patch becomes available.
- Your company acquires the patch, either by automatic download or manual updates.
- Before implementation, your new patch needs to be tested for efficiency
- Assuming the tests had positive outcomes and showed promise in terms of cyber security, the patch is now ready to deploy across your network and devices.
- Although your patch was tested before implementation, you’ll still need to review its performance after its been tested according to your business’ needs.
Fortunately, you won’t have to do too much work to acquire your patches. Most vendors release patches as regularly as possible to address existing or emerging vulnerabilities of the software or hardware.
3. Antivirus Solutions
Almost all operating systems are distributed with default antivirus products. Popular antivirus systems you will recognize include Malwarebytes and McAfee, for example.
These products, in and of themselves, are sufficient protection from viruses, however, you can gain higher-quality protection with separately sold antivirus measures.
An effective antivirus product is a key element in the defense of malware attacks. Malicious programs are quickly detected by antivirus software, so hackers will experience greater difficulty in executing cyber-attacks with such tools.
This is possible because the antivirus software will always be scanning for malware and other harmful software and technologies within a system. The continuous monitoring mitigates potential damages to your network, often before they can even occur.
Your antivirus products must remain up to date, however, so this is where the patch management lifecycle comes into play again. Your best chance at effective defense is having an updated database for your antivirus software to draw from during regular scans.
What to Look for When Shopping for Antivirus Software
Your antivirus product is one of the most important elements of your cyber security controls. When shopping for new antivirus software, consider all the following elements[3] in depth:
- Detection rate. The software should stop a minimum of 95% of malware – covering everything from the most common malware to zero-day malware (freshly released). Make sure that this stellar detection rate is not full of false positives, though! This is a sign of inefficiency and can leave your system vulnerable to attacks, no matter how up to date your software is.
- Light system load. Know ahead of time how much the new software is going to demand of your system. This is especially important for companies or individuals operating on older systems – too heavy of a system load will work against your cyber security controls and introduce new vulnerabilities.
- Email and web protection. Malware is most often disguised in phishing emails or deceptive links – antivirus software can screen emails and websites before you open them, thereby eliminating instances in which potential viruses can be introduced.
- Availability of coverage. Find an antivirus product that protects multiple devices. This will provide defense for multiple points of entry with little effort (and fewer expenses) from you.
4. Perimeter Defense
This typically takes the form of a firewall, which is essential to identifying suspicious traffic that comes into a network. If necessary, the firewall will block the “entrance” to the network as a measure of defense.
This can be either hardware or software, and – for businesses especially – is useful for protecting the point of connection between an organization’s data and the internet.
Like antivirus software, most operating systems come with a default firewall. Once the device is under your control, you simply need to configure and activate this technology. After reviewing the firewall, if you conclude that it is not meeting your needs, you can look elsewhere for third-party suppliers.
Alternatives to Traditional Firewalls
As an alternative to traditional firewalls, there are Domain Name Systems (DNS) firewalls. A DNS firewall provides the same type of protection that firewalls do, with a more specific scope, however: A DNS firewall is meant to prevent malicious web domains from connecting to your network.
This will secure any devices that are permitted to connect to your network, and even allows manual control measures for administrators to restrict access to certain sites.
You can apply this to on-premises software and appliances or, for companies with remote employees, on the cloud. Functions of DNS Firewalls[4] include:
- Blocking users from accessing malicious web addresses
- Redirecting users from sites that appear suspicious or that are not secure
Another alternative to a traditional firewall is especially beneficial for corporations operating with remote employees. This third option is a VPN: VPNs hide all user activities that hackers would typically track and use to execute eavesdropping attacks.
They provide a more efficient network for remote employees to operate on as well since home networks are typically much less functional than corporate ones.
5. Security of Mobile Devices
Whether the mobile devices are owned by the organization or the individual staff (for instance, if your employees are operating under a Bring-Your-Own-Device (BYOD) policy), your organization needs measures that effectively monitor all devices that can access the corporate network. This measure of defense will safeguard company data by securing access and communications across all devices.
For the best protection, corporate data needs to be isolated from individual data. You can achieve this by giving employees the following protocols:
- All work-related communications must be done via work accounts (e.g., emails).
- The transfer of work-related documents and other data can be done only through work accounts and approved applications.
- Any work-related data that must be saved to a device should be stored in a secure folder and/or on a secure device (USB, external hard drive, etc.).
The methods by which you separate company and employee data don’t need to be complex, they simply need to meet business needs and uphold effective security standards.
Lastly, consider the following when you develop a protocol and invest in cyber security controls regarding mobile devices: [5]
- Control the type and amount of data that an individual employee can access at any given time. Never give access to data that is not essential to the individual’s job duties – this simply introduces liability where there need not be any. You should always have a way to erase company data from a mobile device, whether it belongs to an employee or the corporation.
- All antivirus and malware solutions need to be installed across all devices.
- Use the default security features that came with the mobile device. These are not mutually exclusive in function with third-party controls – you can use both simultaneously!
- Integrate Mobile Device Management (MDM) solutions into your controls. This will allow you to manage multiple devices from one console, thereby streamlining the process of performing patch management and general security measures across all devices that access your network.
6. Employee Training
This is an easily overlooked element of cyber security, even though it is critical to a fully functioning defense system! What use is it to invest in all these cyber security measures if your employees cannot use the protections properly?
Employee training is an essential part of protecting organizations from horrible cyber-attacks.
Especially since one of the most common reasons cyber-attacks against businesses are successful is because employees are simply unaware of how to distinguish phishing emails from authentic communications.
If you train your employees on how to identify these attacks, they can avoid harmful software more consistently and thereby protect your company’s data.
Well-trained employees’ function as the “first line of defense” for cyber security, so you’ll need to know how to train them well.
Follow the guidelines below to develop the best, most efficient system for training your employees in cyber security: [6]
- First, recognize that when data breaches happen, you cannot blame one individual employee for it. This is important to keeping up employee morale as you all invest in a new protocol for cyber security. If you chastise a single employee for not being equipped with the appropriate knowledge during an attack, you’re neglecting your duty as an employer to provide that knowledge regularly. Your employees are a part of the system that protects your cyber security, not the fault of it.
- The innovation of technologies between hackers and corporations is an ongoing arms race – you need to keep your employees as up to date as possible. Just as the software gets patched regularly, so should your staff. Weekly or quarterly training sessions are a good way to keep your staff on their toes.
- Train them to recognize different types of attacks – most cyber-attacks rely on human error, so knowledge is truly half the battle!
- Work cyber security awareness into your regular business activities – make it the norm instead of an out-of-reach topic that only IT understands. Give updates to your employees on the latest cyber security news to keep them refreshed on how to mitigate potential risks in your system.
- (Do this with balance – you’re not aiming to overwhelm them with the number of cyber security attacks happening daily, rather, you need to keep the issue at the forefront of their minds for safer web activity. A few links as a part of a standard company announcement will do.)
- You may also benefit from sharing a few statistical figures to make them aware of the potential frequency and severity of current cyber-attacks. This helps to make matters more tangible and increase the efficiency with which your employees approach cyber security protocol.
- Make cyber security a part of onboarding! Let your employees know from the very beginning how important this is to their job and the company. This way you can keep everyone knowledgeable from the very beginning and never worry about any surprises related to cyber security training.
- Another commonly overlooked element of cyber security training is password training. Many people tend to brush off the importance of a password, but it is a key tool in maintaining the security of your data and network. A strong password should have the following elements:
- Long enough (follow the recommendation of the site to create a password of the appropriate length)
- Multiple types of characters
- Never use complete words
- Change the password often
- Do not share the password across accounts
7. User Authentications
One of the leading threats against many organizations’ cyber security is insider attacks. These are attacks that are achieved by a hacker with the assistance of someone on the “inside” of the organization. That employee may have been promised some sort of reward or other benefits from the hacker or may have even been blackmailed.
Either way, when this happens, the employee is no longer working in the interest of the company but for themselves. Oftentimes, these individuals may steal the login credentials of employees so that, if anything happens, they can cover their tracks and blame other staff.
User authentications protect against this by checking for verification of the user. Along with the standard password and login, the authentication process requires the user to provide accurate personal information.
These take the form of both two-factor and multi-factor authentication attacks, both of which are equally effective protection against insider attacks.
Two- and multi-factor authentication systems typically require the following elements:
- Username
- Password
- Unique code
Users may also question-and-answer prompts as well. Administrators must also change passwords regularly – this way, even if a hacker were to get their hands-on personal information, it would greatly reduce their chances of success, as there is a chance that information is out of date.
8. Access Controls
Access control[7] is one of the cornerstones of cyber security. Without it, very few measures you take in protecting your network and data would be effective in any meaningful way.
Access control, whether it is a physical or digital product, guards all points of entry primarily with radio-frequency identification (RFID)) and biometric meters, but other methods can be used alongside these, such as multi-factor authentication systems.
Biometrics is an incredibly secure, nearly fool-proof way to protect your corporate network and data. This works by scanning either the individual’s retina or fingerprint before granting access.
Still, this is only nearly fool-proof, since hackers construct artificial fingers for older models of fingerprint scanners and reverse-engineer irises for outdated retina scanners.
Still, they can prohibit unauthorized individuals from accessing the network as well as control the types of activities that individuals can take part in when in the network. There are three different types of ways access is controlled within a network per individual user:
- Role-Based Access Control (RBAC): Depending on the role of that user within the company, only certain types of network access will be granted according to the system policy. This is the most common and easiest to implement as you do not have to re-evaluate individual access throughout your network, saving time and expenses.
- Mandatory Access Control (MAC): This is more often used in high-security environments and restricts access according to a rule-based system.
- Discretionary Access Control (DAC): Users can manipulate the access settings of the devices in their control.
- Access Control Lists (ACL): Specific sets of permissions allow users to access certain objects within the corporate network. These permissions are regulated by system administrators and can be viewable by other parties.
9. Secure Portable Devices
This is in the same vein as securing mobile devices under BYOD policies, for example. However, it is a bit more all-encompassing as it covers all portable devices that can carry data.
This includes USBs, SD cards, and external hard drives. Because they can be so easily lost or stolen, they can become a massive liability to the cyber security of your company.
You don’t have to do away with these devices entirely, though – simply find other alternatives such as cloud storage and integrate company policies that restrict the use and transport of such devices to on-premises use only. These steps will mitigate the following risks for such devices:
- Loss (whether due to employee error or management disorganization)
- Damage that interferes with standard functionality
- Theft of the device
10. Data Encryption and Backup
No matter how well you’ve designed your cyber security protocols and system, hackers are still working day in and day out to find their way into unsuspecting networks.
This means – although your risk is significantly reduced – your company may still be vulnerable to a breach or other attack. If that were to happen, having a backup of your company’s data and other relevant information can save you from going under.
Hackers can still access backups though, so you must encrypt your data as well. Backing up to multiple locations is a good method of defense, in case a hacker were to gain access to one source.
Separating the data you back up as “sensitive” and “public” can be helpful to recovery protocols as it helps you to prioritize what should be recovered and when.
[1] https://cyberexperts.com/cybersecurity-controls/
[2] https://sbscyber.com/Portals/0/documents/SBS2017-PatchManagement.pdf
[3] https://www.tomsguide.com/us/antivirus-software-buying-guide,review-3586.html
[4] https://www.deteque.com/news/dns-firewall-beginners-guide/
[5] https://www.smallbusinesscomputing.com/News/Mobile/byod-and-mobile-security-for-small-business.html
[6] https://www.coxblue.com/8-tips-and-best-practices-on-how-to-train-employees-for-cyber-security/