There are many areas of your personal life and your work where it’s important—critical even—to take a proactive approach. Personally, taking care of your health and financial planning for retirement are two examples. As a business leader, protecting your company’s data with a comprehensive cyber risk management strategy is more important today than ever. And there are several proactive steps you can take to mitigate the risk of cyber threats.
In the case of cyber risk management, if you find yourself in a situation where a cyber incident has occurred and you have to then react, it doesn’t necessarily mean you did something wrong. In the example of taking care of your health, you might still get sick. In the case of taking steps to mitigate the risk of a cyber threat, one might happen anyway. The key is that your recovery in either case will be swifter and less painful if you have the right proactive measures in place.
This two-part blog series will examine where proactive and reactive strategies intersect when it comes to cyber risk management.
Assess your vulnerabilities. The most important first step in a proactive approach is to check for vulnerabilities in external and internal environments. Not once, but on a regular cadence according to each scan type. This will give you visibility into where your greatest opportunities for potential threats might be. Then, prioritize your mitigation actions based on the most severe risks. Scans should include:
- External Infrastructure
- Dark Web
- Web Applications
- Internal Network
- Asset / Discovery
And where applicable, Wordpress and Microsoft 365.
But while performing vulnerability assessments allows you to know where to take your most urgent actions to mitigate the risk of cyber threats, one might argue that these measures take place after code is written, so an understanding is emerging that it is necessary to be proactive when writing secure code. According to Secure Code Warrior and Evans Data Corp, over half of respondents to a research study reported that “they associate secure coding with the active and ongoing practice of writing software that is protected from vulnerabilities in the first place, and that that is done through ongoing training, education, and awareness of secure coding concepts and common vulnerabilities.” This indicates that a shift is coming to writing more quality, secure code.
Determine who has access to your data and at what permission levels
Another important step in a proactive approach to cyber risk management involves employees—new, current, and particularly former.
- Start by educating new employees with security awareness and compliance training during onboarding.
- Audit each individual and their respective access levels on a regular basis. Make sure each data bucket—public, private, regulated—has unique access credentials and approved parties. Assess access and permission levels regularly. Consider a zero-knowledge password management system to manage your business passwords.
- Weak, stolen, or reused employee passwords are a primary cause of breaches. Put audit protocols in place for deactivating access credentials of former employees.
In Part 2 of this series, we’ll explore reactive strategies—what to do if a cyber incident occurs—and where a proactive and reactive approach intersect.
In the meantime, download our infographic for an easy reference to the top 10 things you can do to protect your data
Shifting from reaction to prevention: The changing face of software security, Secure Code Warrior and Evans Data Corp, August 2020.