Program Design and Development
This guideline is intended for executives and managers in public and private organizations. It is designed to demystify cybersecurity and to provide a clear, concise and achievable approach to improve an organization’ cybersecurity posture.
Cybersecurity can seem overwhelming to many. When you hear statistics that thousands of new computer viruses1 are reported each year, it is not hard to imagine the impact a virus or computer compromise can have on our networks and the information contained within those systems. However, if you do not have the knowledge or resources to address these threats, you may feel helpless.
Especially for those with a lack of experience or resources to address the constantly evolving and increasing threats from cyberspace, it is difficult to know what to do or how to get started. Often it is the start that stops most of us.
Cybersecurity is a basic concept. As leaders of your organization, you are responsible for protecting the information in your care. Cybersecurity is a business function, and technology is a tool that can be used to more securely protect information assets. While addressing cybersecurity may seem like a daunting task, it is much more palatable if taken in manageable chunks. Cybersecurity runs the gamut from simple physical security steps (making sure your laptops and other portable media are secured when not in use) to implementing large-scale information technology systems (firewalls, intrusion detection, and prevention systems, anti-virus and anti-spyware software).
Solutions can be low cost and simple to implement, high cost and complexity, or somewhere in between. The important point is to identify what you are responsible for protecting and implementing a mix of solutions that best meet your business needs. The good news is there are many resources available to help you establish an efficient, effective and sustainable cybersecurity program. This guide can help provide a valuable first step.
Regardless of the size or complexity of an organization, we are all connected to one another and face the same threats. Therefore, all organizations need to be aware of the cyber threats, understand what their vulnerabilities, risks, and consequences are and take appropriate steps.
While implementing good cybersecurity practices sounds daunting, this guide is your first step to a more secure environment. It is not intended to be an all-inclusive and comprehensive approach to cybersecurity. It is more a first – but very important – step in the right direction.
This guide provides real actionable steps your organization can take to enhance cybersecurity.
More information will be forthcoming but for now, let’s get started.
Why is Cyber Security Important?
Some examples of how your computer system could be affected by a cybersecurity incident whether because of improper cybersecurity controls, manmade or natural disasters, or malicious users wreaking havoc — include the following:
Your websites could be disabled and unavailable for use by your users.
- The office computers that your employees use could be shut down by a virus.
- A hacker could break into one of your databases and steal the identity of your employees and customers.
- A disgruntled former employee could manipulate or destroy important organizational data.
- A malicious user could use your systems to attack other systems.
These and other cybersecurity incidents could certainly have a negative impact on your organization.
The average unprotected computer connected to the Internet can be compromised in less than a minute. An infected or compromised computer connected to other unprotected computers can easily and quickly pass that infection, or function as a “backdoor” to the others.
Even a computer without an Internet connection can be cause for cybersecurity concern. An unprotected machine may not prevent unauthorized individuals from accessing information contained within it. It may become infected through an infected inserted disk (floppy, CD, flash/USB drive or DVD) brought in from elsewhere. Information stored on it may be permanently lost due to accidental or intentional alteration or deletion. These are just a few examples of threats to information kept on any computer.
Cybersecurity incidents can cripple an organization’s computers. Inadequate cybersecurity measures can lead to the compromise of sensitive information about organizational operations and its customers. An organization has a responsibility to its customers and business partners, both public and private, to safeguard the information with which it is entrusted and to perform its business functions.
What is an Unprotected Computer?
An unprotected computer is one that does not:
- have antivirus or spyware protection software installed and updated regularly
- have installed hardware/software (such as a firewall) to manage communications between and among networks
- have an offsite back-up of important files
- require the user to authenticate (using a password) when logging on
- have operating system patches installed and regularly updated
What are the Objectives of a Cybersecurity Program?
As custodians of information, organizations have a responsibility to protect this information. The objectives below provide a starting point for organizations in addressing their cybersecurity needs, and developing their own internal procedures:
- Promote and increase the awareness and training of cybersecurity (DVDs, videos, Public Service Announcements, etc.);
- Communicate the responsibilities of the organization and individual users’ protection of information;
- Identify threats, vulnerabilities, and consequences and take appropriate action;
- Prepare for the inevitable – disaster recovery. Protect the availability and recoverability of the organization’s information services and missions.
What is a Cybersecurity Incident?
A cybersecurity incident is considered to be any adverse event that threatens the confidentiality, integrity or availability of an entity’s information resources. These events include but are not limited to the following malicious activities:
- attempts (either failed or successful) to gain unauthorized access to a system or its data and unwanted disruption or Denial of Service (DoS)
- unauthorized use of a system for the transmission, processing or storage of data
- changes to system hardware, firmware or software characteristics without the organization’s knowledge, instruction or consent
- attempts (either failed or successful) to cause failures that may cause loss of life or significant
- impact on the health, mission or economic security of the organization and its customers
What Must be Done?
The most important message to convey is: “Cyber Security is Everyone’s Responsibility.”
With access to computers and information assets, all employees need to understand their responsibilities for protecting the information they handle each day. Contractors must also understand their responsibilities, which should be delineated in the non-disclosure agreements and contractor conditions in all contracts. Background checks for individuals in critical or sensitivity cybersecurity, information technology, or management positions should be conducted.
Cybersecurity is an ongoing task initiated by the development of a security policy.
Implementing a good security policy will establish roles and responsibilities, educate and inform all members of the organization and ensure that procedures follow established practices for a sustainable program.
Every organization should be implementing the following action items on a regular basis in order to help enhance their organization’s cyber security readiness and response. This list is not all-inclusive, nor is it organized in any specific order, but will provide you with some minimum action steps to take.
TOP TEN CYBERSECURITY ACTION ITEMS
Designate a Principal Individual Responsible for Cybersecurity
- Designate, in writing, a principal individual who is responsible for cybersecurity in order to ensure that proper policies and procedures are in place. This may be a part-time or full-time assignment depending on the scope and complexity of the organization’s operations.
- Identify this individual’s roles and responsibilities.
- Develop a cybersecurity plan.
- Ensure a hardware and software asset inventory is maintained.
- Determine which information assets require protection and put procedures in place to protect them.
- Develop procedures for responding to cybersecurity incidents.
- Develop backup plans so that critical business functions can continue.
- Implement a cybersecurity awareness and training program.
- Establish communication procedures so that everyone knows what, how and to whom to report a cybersecurity incident or problem.
- Be aware of regulations regarding the protection of information.
Know How to Recognize That You Might Have a Problem
A computer may have been compromised if it is:
- slow or non-responsive
- experiencing unexpected behavior such as programs popping up
- showing signs of high level of activity to the hard drive that is not the result of anything you initiated
- displaying messages on the screen that you haven’t seen before
- running out of disk space unexpectedly
- unable to run a program because you don’t have enough memory – and this hasn’t happened before
- constantly crashing
- rejecting a valid and correctly entered password
Your organization may be experiencing a cybersecurity incident if it is:
- finding email refused (bounced back)
- no longer receiving any email or visitors to your website
- receiving complaints from the users that their passwords don’t work anymore
- getting complaints from the users that the network has a slow response time
Understand How to Deal with Problems
Determine if you have a cybersecurity problem.
- Take infected or compromised equipment out of service as soon as practical to prevent further harm.
- Notify management and other users as appropriate based on your organization’s cybersecurity policy.
- Consider notifying your partners with whom you connect.
- Contact your local law enforcement if you suspect a crime has been committed.
Identify the types of information that you would want to gather during a cybersecurity incident:
- Organization name
- Point of contact name
- Characteristics of incident
- Date and time incident was detected
- Scope of Impact
- How widespread
- Number of users impacted
- Number of machines infected
- Nature of incident:
- Denial of Service
- Malicious code
- Unauthorized access
- Fix the problem and restore the compromised equipment to service.
- Reassess your security policy and practices to determine what lessons can be learned from the cybersecurity incident to help you strengthen your security practices.
Physically Protecting Equipment
- Computer equipment must be physically protected from security threats and environmental hazards.
- If traveling with a laptop, never check it in at the airport; keep it with you at all times or in a secure location.
- Use a surge protector that has power and telephone connections.
- Access to devices may need to be controlled based upon job function.
Protect Essential Hardware/Software
- Install, configure and use a firewall. Set your computer to automatically check for new updates.
- Set your computer to auto-update to ensure you have the latest security patches applied to your computer.
- Install spyware and virus protection software and regularly update. (A firewall does not substitute for anti-virus software.)
- Each user must have a unique login (user id) and password to provide accountability and limit access to appropriate functions.
- Establish good passwords – at a minimum, a combination of eight alpha and numeric characters; avoid the use of commonly used words especially family names or other words that can be readily associated with you.
- If a computer is located where unauthorized staff or public have access, make sure the screen is not in view.
- “Lock” computers when they are unattended so upon the user’s return they are prompted to enter their user id and password. (Generally, control+alt+delete and/or set computers to automatically lock.)
- Don’t set the option that allows a computer to remember any passwords.
- Implement an employee departure checklist to ensure account termination is performed (including such items as laptops, cell phones, PDAs, etc.). This applies not only to employees who have left the organization but also to those who may have changed departments or job function within the organization and therefore may have different access to certain accounts.
Back up information regularly. What should you back up? That depends on your information and the risk of the loss of that information. Store the backup media offsite; periodically test that the information can be reloaded from backups. Information that is not backed up can be lost, therefore, back up as often as possible to minimize the loss of information.
- Install operating system software patches regularly.
- Handle email and instant messaging with care.
- Don’t click on links in the email. Type the URL in the browser bar.
- Don’t open attachments that you didn’t expect to receive.
- Delete email that directs you to a website where you are prompted to fill in personal information.
- Delete hoax and chain letter email.
- Pay close attention to small portable devices such as disks, CDs, flash drives, thumb drives, PDAs. They can carry a lot of information, so be sure they do not get lost or misplaced.
- Be careful of Internet sites visited. Some sites may do the following:
- redirect you to other sites that you did not intend to visit
- request personal information that will be later used in identity theft
- be sources of malicious activity
Implement Training and Awareness Programs
Train everyone (managers, employees, volunteers, interns, and contractors) who uses a computer to practice safe computing and follow the organization’s policy.
Business Manager, End User, and Technical Training modules are publicly available at the following website: http://www.dhses.ny.gov/ocs/awareness-training-events. In addition, free cybersecurity webcasts are conducted every other month by the MS-ISAC.
Develop Internet and Acceptable Use Policy
When the organization’s employees connect to the Internet or send e-mail using the organization’s resources, it should be for purposes authorized by the organization. The following is not an all-inclusive list and provides only examples of behavior that could result in security breaches.
Specifically, the Internet and electronic mail should not be used:
- to represent yourself as someone else (i.e., “spoofing”)
- for spamming
- for unauthorized attempts to break into any computing system whether your organization’s or another organization’s (i.e., cracking or hacking)
- for theft or unauthorized copying of electronic files
- for posting sensitive organization information without authorization from the organization
- for any activity which could create a denial of service attack, such as “chain letters”
- for “sniffing” (i.e., monitoring network traffic) except for those authorized to do so as part of their job responsibilities
Take Steps to Securely Dispose of Storage Media and Equipment
Take steps to properly dispose of storage media and equipment. Hard drives and other disposable computer equipment may contain saved information even if that information has been “deleted.” Run utilities and/or physically destroy the hard drive to ensure it is clear.