Cybersecurity Order of Operations (9 steps to security maturity)

Updated: Nov 16

It can be difficult to know where to begin when it comes to getting your cyber security house in order. There's a lot to juggle beyond budgets. The goal of this article is to give decision-makers a clear order of operations to take your technology environment from less secure to secure.


The following steps toward cyber security maturity are listed in order of importance. This is intended to be used as a guide and cannot replace the guidance of an IT professional. Visit our Cybersecurity page for more info on Kosh Solutions' services: Cybersecurity Services

 

Related articles:

 

Step 1: Annual review of your security plan

The main thrust of this step is to document your cybersecurity. Writing down a complete picture of your current security setup will help show you where you are and where you need to put some more thought/resources.


Here are a few components that are required to mark this off your list. We recommend the following:

  • Have a security risk assessment performed by an IT professional. Kosh offers a professional cybersecurity assessment - learn more about our assessment.

  • Appoint a security officer.

  • Write down your security policies. Most cybersecurity vendors have boilerplate policies that you can edit to suit your organization. Some areas the policies might cover are:

  • Security Management Policy: a requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Security Officer Policy: A single individual must be designated as having overall responsibility for the security of an organization's data.

  • Evaluation: Organizations must perform periodic technical and non-technical evaluations that determine the extent to which an organization's security policies, procedures, and processes meet ongoing requirements.

  • Technical - Audit Controls

  • Have a documented incident response plan. Write down the steps you would take in the event of a breach.

  • Obtain adequate cyber insurance. Learn more about cyber insurance with these articles:

  • Do I Need Cyber Insurance?

  • What do I need to obtain cyber insurance?

  • Role-based controls to restrict access to sensitive information.

This is a huge step toward strengthening your cyber security posture! Depending on the size and complexity of your organization, this could be a concise 2-to-10-page document or could run much longer.

Kosh has a free cybersecurity checklist that can help with this process. Click to fill out the form below to get the PDF checklist emailed to you.



Step 2: All software and hardware are supported, patched, and up to date

It's trickier than it sounds to keep all your software and hardware under warranty, with support contracts, patched, and up to date. When you have a few servers, dozens of workstations, and at least a handful of line of business applications, managing all those licenses can get complicated. Furthermore, you probably have firewalls, access points, and switches to stay on top of.


Sometimes the hardware device is "end-of-life" and needs to be replaced altogether. Other times you just need to deploy a patch or update the firmware. Having a process to audit and ensure all your devices and software are good to go is essential to not only your security posture but also your overall technology efficiency. Trying to work from old unsupported hardware and software will inevitably break down and lead to extensive downtime.


For large organizations, we recommend either using software to track these things or outsourcing this task to your IT service provider. It's possible to track everything on a spreadsheet, but there must be processes that adjust the data. Meaning, if you retire a firewall and install a new one, everything needs to be documented so you know exactly what's in place. A simple spreadsheet might look like this:

Software

Account #

Purchase Date

Renewal Date

Adobe Cloud

XJ456-L9

Jan 6th 2022

Jan 5th 2023

Hardware

Serial #

Purchase Date

Licensing or support #

Renewal date for license/ support

End-of-life date

Notes

Fortigate 100-F

56418234899

Feb 9th 2018

IG-900876

Feb 8th 2022

Dec 31st 2027

Maintaining all this is a very daunting task! Your managed IT service provider can help with this, however, it's the responsibility of the entity that owns the equipment to maintain this list and keep it up to date.


Some IT service providers have a rental model that keeps the rented equipment under warranty and up to date for you. Kosh offers a line of rental options in our Hardware as a Service products.


Step 3: Use complex passwords or passphrases

This step is typically a "low-hanging fruit" because it doesn't cost all that much to get this in place. Most companies already have the correct Microsoft licensing to enforce password rules. This is an absolute must because most people reuse passwords and make passwords too simple. Having a solution that controls passwords company-wide is a big step toward a more secure environment.


Here are a few characteristics of complex passwords:

  • Eight characters or more. The longer the password, the stronger it will be.

  • A mix of uppercase and lowercase letters.

  • A mix of letters and numbers.

  • At least one special character, such as ! * $ # ? @.

An even better solution is to use passphrases. Passphrases are longer, more complex, and easier to remember. Here's an example of a passphrase:

My favorite dog Bob died last April 1st I miss him!



Step 4: Multi-factor Authentication (MFA)

Implementing MFA is the next layer on top of solid passwords. MFA may be annoying at times, but MFA can be rolled out in a nuanced way if your tech architecture is set up for it. For example, you can configure MFA to be requested when users are not at the office. Or you can configure certain computers to not require MFA due to the use of that computer such as a shared kiosk where many employees are using the same workstation throughout the day.


Properly enforcing MFA throughout your tech stack will go a very long way to keeping you secure. On top of the security it provides, MFA is not too difficult to deploy nor too costly. Once again, if you're on the right Microsoft licenses with the right architecture, then you can set this up relatively quickly without many issues.


Step 5: User Training

This is arguably the most important step in your cyber security journey because it is where most cyber criminals gain access to your network. As I'm sure you've heard, human error is the number one way cyberattacks get through other defenses. Yes, it's primarily those nasty phishing emails that still get your staff to click and unleash malware. One of the best ways to reduce the risk here is to provide continuous and up-to-date training for employees. There're many companies that provide this type of ongoing training. We recommend a company like Breach Secure Now that provides more than just nice videos. Employees must be encouraged to actually do the training. Gamification and tracking help drive engagement, but leadership also must hold staff accountable for completing the training.


Ongoing cyber security awareness will keep cyber threats top of mind for your employees which means they're less likely to click that tempting link!


Kosh provides a FREE cyber security quiz that your staff can take. It gauges their level of awareness and identifies people that are more likely to make security mistakes. No phone call, just a couple of emails to deliver the report.



Step 6: Antivirus

It may be surprising to you to know that many companies don't have adequate antivirus. Typically, we find that new clients either don’t have antivirus fully deployed, or the antivirus is out of date.


Kosh recommends having a premium antivirus with an active and up-to-date license that is deployed on all servers and endpoints. Checking this off your list will ensure devices that host data and have end-user input have a base level of protection.


Step 7: Spam Filtering and Link Protection

Most email clients (Gmail, Yahoo, etc.) have basic spam filtering built in. The problem is that these basic filters don't catch well-designed phishing emails. And it's the well-designed phishing emails that can cause the most damage! With a premium spam filter, there are advanced features that will add another layer of protection. Advanced spam filters take in more data points from malicious emails to better detect phishing emails. The difference is like taking your car to an automatic drive-through car wash vs getting your car cleaned and detailed inside and out.


One additional feature that is very effective is having software that checks every link sent via email. The software changes the links inside the email so that when you click the link you are either directed safely to where the link is pointing, or you are notified that the link has been identified as malicious. This is usually an add-on to the spam filtering that we recommend.


Step 8: Data Encryption

This step covers data at rest and data in transit. Data at rest is when data is not moving anywhere. Data can be at rest on a USB drive, a laptop hard drive, a server, or in the cloud (a remote server). The primary threat encryption protects against is physical theft of a hard drive. Encryption is not standard on most workstations or laptops, so it's something that needs to be configured in addition to other security measures. An encrypted hard drive would be protected in the event someone steals the hard drive and tries to gain access. In the most basic terms, encryption requires an additional password to access the data. This means files that are stored on your device or synced to your device would be vulnerable in the event of theft if not encrypted. Microsoft's encryption solution is called BitLocker and is available on most up-to-date machines running windows.


Encryption for data at rest on a cloud server (Facebook, YouTube, Quickbooks, etc.) is the responsibility of the cloud provider, so be sure to check your vendor's policies.


Data in transit is when any piece of digital information is moved across the "wire". Examples of digital movement are uploading a picture to Facebook, sending an email, or transferring a file across a VPN connection. For uploading information to a cloud portal, most service providers have an encrypted interface to ensure your information is encrypted "end-to-end". "End-to-end" means from the point the data leaves your machine to the point it reaches its destination (your cell phone to Instagram's servers). When transferring information across a VPN there are encryption protocols built into the VPN making sure the data is encrypted end-to-end.


With email, the sending server and receiving server might not always be encrypted which is why an email encryption service should be in place. These premium services will ensure that your messages are encrypted end to end. The biggest threats are "man in the middle" attacks and a compromised email server. The man-in-the-middle attack is when a cybercriminal "grabs" your emails before they reach the recipient. The criminal then has all the information in your emails. An encryption service would ensure that while the data is moving it is encrypted making the emails useless to the cybercriminal. The second threat is if you send your emails encrypted but then they are stored unencrypted by the recipient. An encryption service will check to make sure that the destination of your emails is encrypted and if it is not, the email will not be sent. Instead, the service will send the recipient a link to access the encrypted email, requiring them to sign in with credentials.


Data encryption is particularly important for industries with more strict regulatory requirements like healthcare and finance.

Step 9: Managed Detection and Response

MDR is the term for an outsourced, specialized cybersecurity service that revolves around threat hunting and the remediation of discovered threats. This is where sophisticated monitoring software is deployed on your network that works in tandem with skilled technicians to identify and respond to threats. If a threat is discovered, an automatic response can be triggered to quarantine the threat until a trained technician can take a look and determine the next steps. This is the line before a security breach. This is more than antivirus which attempts to block malware on a workstation or server. MDR is looking 24/7 for threats that are both known and unknown and not just on your workstations or servers but across your entire technology environment. Constant surveillance helps detect issues faster which in turn reduces the impact of a breach. MDR services aggregate tons of data both from your company's network and from other sources, to better identify emerging threats.


MDR is the last layer of our cybersecurity order of operations in part because it’s a newer offering that we are seeing to be very effective and a critical part of a well-rounded cybersecurity suite. MDR is an additional cost, but it has been crucial in identifying threats early, therefore preventing catastrophic incidents. In most circumstances, the cost of MDR is much less than the cost of a security incident. MDR adds a very important layer of protection.


Cybersecurity Wrap Up

Moving your company through these steps will improve your cybersecurity posture. There're a lot of nuances that should be considered when implementing any cyber security plan, but the steps outlined above should give you a solid place to start the conversation. We recommend talking with your IT staff or your Managed IT Service Provider to develop a comprehensive security plan.


If you have questions or would like a cybersecurity assessment, email us at: cyber@koshsolutions.com


Kosh Solutions provides cybersecurity and managed IT services throughout New Mexico (with offices in Albuquerque, Las Cruces, and Farmington), Durango, and Orange County, California.


 

Disclaimer


The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for the improper use of this information.