• April 2020

Practice makes perfect: three essential cybersecurity preparedness activities


At the time that Wilber and Orville Wright made their now infamous first flight, there were others across the world who were spending considerably more time and money trying to solve the challenge of human flight. What enabled the Wright brothers to succeed where so many others with greater resources had failed?

The answer to this question lies in the time they spent each summer on the sand dunes of the North Carolina beaches. They were there not only to perfect their airplane design but also to use their large gliders to learn how to fly. By the time the Wright brothers attached a motor and propeller to their aircraft, they already knew how to respond to what the wind and elements would do to their airplane.

Each of our organizations faces a turbulent environment when it comes to data and system security. We need to be prepared for whatever the cyber world throws at us. Like the Wright brothers, we need meaningful, real-world practice if our reactions or responses to threats are to be successful.

Here are three essential activities every organization should be practicing in preparation for the inevitable cyber-attack.

1. Table Top Exercises

If your organization fell victim to a cyberattack, would your employees know what to do? The worst time to think about how to handle a cyberattack is when it is currently happening. To help in the event of an attack, an organization should have an incident response plan. However, just having a plan isn't enough. To help prepare for a cyberattack, organizations should conduct tabletop exercises that outline the steps they might take during a cyberattack. By discussing scenarios in advance, an organization can identify gaps in their response plan and make adjustments.

In a recent survey, 59% of organizations surveyed stated they have never proactively tested their incident response plan. Conducting regular tabletop exercises can help uncover issues before they happen for real, validate the effectiveness of incident response plans, evaluate the need for external support resources and enhance awareness and readiness.

2. Email Phishing Campaigns

The greatest threat to the security of your data is the people who are given access to your systems. All a hacker needs is for one user to open an email and click on a link or open an attachment. Everyone within your organization needs to recognize that they play a critical role in protecting your data and systems. They need to realize that they are being targeted by hackers through phishing emails – messages that look legitimate but are malicious in nature.

One of the easiest ways to get users some hands-on experience is to run regular simulated phishing on all users. A recent study showed that regular testing of users is crucial to reducing the number of phishing emails users fail to identify and click on to open links or attachments. The study showed that organizations reduced their average click rate on phishing emails from 27% to just over 2% within a year of conducting regular simulated phishing tests on all users. Just imagine how this could benefit your organization!

3. Vulnerability Scans

Whether a hacker is outside of your network trying to find a way in or is already inside your network and is trying to find data to steal, they are looking for vulnerabilities. Some examples? An application that hasn't had the latest security updates from the vendor installed, a misconfigured server that leaves that system open to an attack, a website that wasn't designed or coded correctly. Any of these vulnerabilities could be exploited by a hacker to compromise your systems and data.

You have great IT staff, and you trust their abilities to keep your systems and network running optimally and securely. However, every great leader knows there must be checks and balances in all areas. Cybersecurity is no different. Run vulnerability scans. These scans will identify vulnerabilities in your systems and network that a hacker could exploit. They will enable you to find and fix these vulnerabilities before a hacker finds them.

By regularly conducting these three activities, your organization will be better prepared to face the challenges from cyber threats. They will give you confidence that your organization is ready to not only prevent attacks, but also effectively respond when an attack does break through your defenses.

Anders Erickson, CISA, CISSP, CRISC is Principal-in-Charge of Cybersecurity for Eide Bailly LLP. He assists clients in establishing a culture of security within their organization. Erickson leads organizations through the process of identifying their cybersecurity risks and brings practical solutions to help manage and mitigate those risks.

Thank you to our Chamber News Premium Sponsors

  • img
  • img
  • img
  • img