NutriCargo Cybersecurity outline:
- 1: Promote and instill the idea that cybersecurity is everyone’s responsibility
- Objective 1 - Train all employees in basic cybersecurity awareness: Training all employees in the importance of cybersecurity is paramount. One objective of Seguridad 2020, the company’s cybersecurity plan, is to foster the idea that cybersecurity is everyone’s responsibility. From the CEO down.
- Objective 2 – Reward employees for being vigilant: Promoting a culture of “if you see something, say something” allows an organization to detect protentional threats earlier. By instilling a culture of open communication and rewarding those who notice when something is not right.
- 2 – Improve cybersecurity management
- Create a cybersecurity council: As one of the goals is to promote a culture of “cybersecurity is everyone’s business”, a cybersecurity council would be beneficial to the organization. A representative from each department could be elected to not only share opinions but concerns as it pertains to data privacy and other cybersecurity issues.
- Develop a cybersecurity bulletin: Education and awareness is paramount in the fight against cyberthreats. By Creating a monthly bulletin, the organization can be kept knowledgeable of current and future threats.
- 3 – Introduce, improve and provide cybersecurity tools
- Objective 1 - Introduce Hardware Authentication Device: Brute force attack and weak passwords are just two examples of weak spots for any organization. In addition, IT managers spend countless time wasted resetting passwords for individual employees. By introducing 2FA Hardware keys, such as YubiKeys, the company can not only safe time but maximize efficiency throughout.
- Objective 2 -Improve Remote Workers Tools: As remote working is now becoming more and more common; the organization must improve how it allows workers to connect to the network without compromising speed and efficiency. Some ways to do this might be to introduce a strong VPN tunnel, use of only company owned devices and ensuring those devices can be wiped remotely if lost or stolen.
- 4 – Establish a schedule of regular analytics and metrics
- Objective 1 - Conduct an annual security risk assessment: Conduct a regular security risk assessment. As threats change daily, it’s important for the company to assess what risks it may face. In addition, the assessment may provide the company with the need for newer policies or tools in order to mitigate any cybersecurity incident.
- Objective 2 - Conduct an annual 3rd party vendor assessment More and more, the company is using 3rd party vendors to ensure its employees are using the best tools available. Currently, the company uses LastPass, a password manager, Google Apps, RingCentral and Backupify. All these vendors, while major players, should be assessed every year. Their data privacy, terms of agreement and other fine print should be understood by senior level managers. After all, should a cybersecurity event occur, the company would still be responsible regardless of it being the fault of a 3rd party vendor.
Three metrics that the company will use to analyze the achievements of its goals/objectives are:
- A report of all devices on the network. With the ever-growing number of employee owned devices, smart devices, Internet of Things (IOTs), it is crucial that the company take stock of the devices connected to the network.
- Employee cybersecurity performance grade. In line with the “cybersecurity is everyone’s business” culture, reporting on employee understanding of cybersecurity policies and responsibilities is a very useful metric.
- Vendor list and assessment. In the food industry, new ingredient suppliers must first be validated through a supplier assessment form, yearly. This type of reporting would be useful when applied to the organization’s technology 3rd party vendors such as backup, data processing, and IT vendors.
Cybersecurity governance is the cornerstone to the any risk mitigation plan. Through consistent enforcement, an organization can focus on the business of Its business thus gaining peace of mind that it is doing what needs to be done to ensure that it’s internal and external technologies and data are protected.
The organization has one individual that oversees and promotes cybersecurity throughout the organization.