Conduct a GAP analysis. Revisit the standards established in your framework and analyze how the firm is meeting, exceeding, or failing against these benchmarks. The GAP analysis should document the firm’s current state via free self-assessment resources or a third party, if the budget allows for it. The analysis should identify the firm’s ideal future state and IT goals based on the established security framework. Periodically, gaps between the firm’s current state and goals should be reviewed and remedies should be prioritized. 2. Start with quick wins. Address the low-hanging fruit and plan for more involved projects and programs. Focus on security solutions that will have the biggest bang for your buck. There are many no- or low-cost solutions that can have a major impact on cybersecurity. 3. Develop a roadmap for constant improvement. Build an annual roadmap outlining initiatives for the year based on perceived risks. Revisit your roadmap annually, adjusting your plan as needed. OPERATIONALIZE SECURITYWITH LIMITED RESOURCES. SMBs can rely on various resources to enact these initiatives in their cybersecurity roadmaps without endless coffers of cash. Managed cybersecurity services offer a variety of security tools and services that scale based on the number of end users/computers in question versus larger, upfront CAPEX expenditures traditionally associated with building a security capability. Additionally, there are many free resources available. As technologies advance and change, it’s critical for businesses to remain vigilant yet flexible. Reducing cyber risks doesn’t have to rely on grandiose IT budgets. An actionable cybersecurity strategy can be established without significant financial investment, and with measurable results and rewards. SMBs can confidently step into 2022 with a solid plan in place to reduce cyber risks this year and well beyond. Brian Nordmann joined Dudek in 2017 and serves as chief information officer. He leverages more than 20 years of experience in information technology and has held various technology leadership roles throughout his career, including roles in environmental services, defense, transportation, and finance industries. Connect with him on LinkedIn .
BRIAN NORDMANN, from page 3
CASE STUDY: DUDEK. When I joined Dudek in 2017, the growing environmental and engineering consulting firm lacked a formal security program. Staff, often at the forefront of cyberattacks, had no security awareness training. The firm relied on a “last generation” antivirus software and an out-of- the-box Office365 email security configuration. Multi-factor authentication was not being used, there were no standards for patching, and the firm lacked visibility into vulnerabilities with unsupported server and desktop software and hardware in use. Under this setup, Dudek was left susceptible to cyberattack. I sought to remedy Dudek’s cyber vulnerabilities by establishing a continually evolving and improving security program and framework. An audit revealed a primary threat of account/email compromise; this and other top risks were methodically addressed. With support from all levels of the firm, annual cyber maturity scores dramatically increased through the introduction of technical, physical, and administrative controls. SETTING UP FOR CYBERSECURITY SUCCESS IN 2022 AND BEYOND. Small and medium-sized businesses need not have Fortune 500-sized IT budgets to protect their data and keep it out of the hands of hackers. In the very wise words of Benjamin Franklin, “By failing to prepare, you are preparing to fail.” SMBs are encouraged to reduce cyber risks in the workplace by Adopt a security framework. Pick a framework to benchmark against – based on industry compliance requirements or, if not required, something like CIS, NIST, or CMMC. Create an information security program document. Develop a living document that keeps track of where you are currently and that matures over time. There are a multitude of templates available on the internet. A template will provide a starting point for the security program document which can be modified to fit your organization’s needs. Describe your firm’s approach to risk management, and clearly outline roles and responsibilities, security policies, and controls. employing the following steps: 1. Perform a GAP analysis:
FREE RESOURCES: ■ ■ FRSecure.com: cheat sheets, checklists, playbooks, policy templates ■ ■ CISA.gov: cybersecurity assessments ■ ■ MS Funds: Microsoft and many
NO/LOW-COST SOLUTIONS TO MOVE THE NEEDLE: ■ ■ Patch now! ■ ■ 2FA/MFA ■ ■ Security baseline policies ■ ■ Document what you do when faced
■ ■ Security awareness program/ training ■ ■ Leveraging what you own with Microsoft ■ ■ Pen tests and vulnerability assessments identify risk to infrastructure such as
with security situations – include an incident response plan in your security program document
other vendors offer assessments for working with their cybersecurity partners.
misconfigured BPN/firewalls, cloud services, or web apps
© Copyright 2022. Zweig Group. All rights reserved.
THE ZWEIG LETTER MAY 2, 2022, ISSUE 1439
Made with FlippingBook Annual report