NutriCargo Cybersecurity outline:
- 1: Promote and instill the idea that cybersecurity is everyone’s responsibility
- Objective 1 - Train all employees in basic cybersecurity awareness: Training all employees in the importance of cybersecurity is paramount. One objective of Seguridad 2020, the company’s cybersecurity plan, is to foster the idea that cybersecurity is everyone’s responsibility. From the CEO down.
- Objective 2 – Reward employees for being vigilant: Promoting a culture of “if you see something, say something” allows an organization to detect protentional threats earlier. By instilling a culture of open communication and rewarding those who notice when something is not right.
- 2 – Improve cybersecurity management
- Create a cybersecurity council: As one of the goals is to promote a culture of “cybersecurity is everyone’s business”, a cybersecurity council would be beneficial to the organization. A representative from each department could be elected to not only share opinions but concerns as it pertains to data privacy and other cybersecurity issues.
- Develop a cybersecurity bulletin: Education and awareness is paramount in the fight against cyberthreats. By Creating a monthly bulletin, the organization can be kept knowledgeable of current and future threats.
- 3 – Introduce, improve and provide cybersecurity tools
- Objective 1 - Introduce Hardware Authentication Device: Brute force attack and weak passwords are just two examples of weak spots for any organization. In addition, IT managers spend countless time wasted resetting passwords for individual employees. By introducing 2FA Hardware keys, such as YubiKeys, the company can not only safe time but maximize efficiency throughout.
- Objective 2 -Improve Remote Workers Tools: As remote working is now becoming more and more common; the organization must improve how it allows workers to connect to the network without compromising speed and efficiency. Some ways to do this might be to introduce a strong VPN tunnel, use of only company owned devices and ensuring those devices can be wiped remotely if lost or stolen.
- 4 – Establish a schedule of regular analytics and metrics
- Objective 1 - Conduct an annual security risk assessment: Conduct a regular security risk assessment. As threats change daily, it’s important for the company to assess what risks it may face. In addition, the assessment may provide the company with the need for newer policies or tools in order to mitigate any cybersecurity incident.
- Objective 2 - Conduct an annual 3rd party vendor assessment More and more, the company is using 3rd party vendors to ensure its employees are using the best tools available. Currently, the company uses LastPass, a password manager, Google Apps, RingCentral and Backupify. All these vendors, while major players, should be assessed every year. Their data privacy, terms of agreement and other fine print should be understood by senior level managers. After all, should a cybersecurity event occur, the company would still be responsible regardless of it being the fault of a 3rd party vendor.
Three metrics that the company will use to analyze the achievements of its goals/objectives are:
- A report of all devices on the network. With the ever-growing number of employee owned devices, smart devices, Internet of Things (IOTs), it is crucial that the company take stock of the devices connected to the network.
- Employee cybersecurity performance grade. In line with the “cybersecurity is everyone’s business” culture, reporting on employee understanding of cybersecurity policies and responsibilities is a very useful metric.
- Vendor list and assessment. In the food industry, new ingredient suppliers must first be validated through a supplier assessment form, yearly. This type of reporting would be useful when applied to the organization’s technology 3rd party vendors such as backup, data processing, and IT vendors.
The company’ information infrastructure consists of the following:
- Local file server: The file server used to host the organizations accounting system, accounting database backups and the company’s door entry program. It is on the premises in a server room. Backups of the data are conducted locally via a scheduled backup and remotely to and Amazon S3 bucket.
- Google For Work: The organization uses Google For Work for its file storage, email and internal communication (chat). Additionally, the organization uses a third-party service to back-up user data.
- Telecom: The organization uses an IP Phone company (RingCentral). Therefore, the PBX is not hosted on site but is virtual.
- Internet: The organization subscribes to business internet through Verizon.
- Website: The company’s website serves a dual purpose. It has the front end of customers and in addition, the back-end used internally by employees. Employees enter new orders, update statuses of current orders and manage all customer records from the backend. The website is currently protected by a web application firewall (WAF) and IP restricted.
Cybersecurity governance is the cornerstone to the any risk mitigation plan. Through consistent enforcement, an organization can focus on the business of Its business thus gaining peace of mind that it is doing what needs to be done to ensure that it’s internal and external technologies and data are protected.
All cybersecurity matters are headed by the vice president of the organization. This includes but is not limited to: Training, enforcement and reporting.
The organization has some policies already in place to ensure cybersecurity. These policies include:
- Internet & Intranet use policy – This policy goes into detail what is acceptable use of company internet and intranet. The policy outlines the consequences should a violation occur.
- E-mail and IM (instant message) policy – This policy covers communication both internally and externally. It covers the acceptable use and consequences should the policy be violated.
- Mobile devices policy – This policy outlines the acceptable use of company owned devices including laptops and mobile phones. It also goes into employee privacy as these devices can be tracked by admins using GPS for example in the event the device is lost. The policy also goes into the responsibility the user has in keeping these items secure due to the nature of how much private company data they may contain.
The organization has one individual that oversees and promotes cybersecurity throughout the organization.
- A review of all existing technology policies. A review of policies is important as is ensuring that these polices also outline the consequences should they be violated. In addition, these policies should include how employees can communicate should there be any suspected violation of the policies.
- Review all third-party agreements such as: Company cloud backup provider, webhost, Web Application Firewall provider, VoIP provider, and e-mail/cloud file system provider. It’s important to know how company data and communication is being stored and transmitted. Regardless of the third part SLA, ER is still responsible to its individual clients and ensuring their data is secure.
- Create or acquire basic training materials for all employees. In addition, reward employees for being knowledgeable in basic cybersecurity. Awareness in basic cybersecurity can be for example, knowing what to do when a link or attachment seems malicious.
- The other top-level executive must be more involved in cybersecurity governance of the company. Ways that this executive might be more involved could include, budgeting and resource allocation. In addition, this executive could be made more aware of the responsibility the company has when it comes to any data breaches. Per the module video, in order to include any top-level executives, one must speak their language. A security breach can affect the company financially, reputation wise and legally. A top-level, non-tech savvy executive would not want to hear that their bottom line will be affected by a breach. Speaking their language and communicating how a cybersecurity incident can negatively affect business is key to achieving an understanding or how important a plan is.
CEOs: Online training via Harvard Cybersecurity: Managing Risk in the information Age.
Users: For the rest of the organization, the users, it is important ensure that all policies are understood and that basic cybersecurity principles are known and if possible, completely understood. Some users are not technologically savvy and therefore a training program for those users must be easy to understand. The U.S. Small Business Administration (SBA) has a comprehensive cybersecurity training course. This course is easy to understand uses videos to communicate basic cybersecurity principles. The course can be found here: https://www.sba.gov/tools/learning-center-view-course/743081