In general, organizations should implement just enough necessary cybersecurity to mitigate risk and meet compliance requirements. We’ve talked about how to mitigate known, foreseeable cyberthreats, but what is the lowest bar for a typical organization with respect to cybersecurity? To figure this out, we need to think about universal compliance and legal obligations for any organization. The most complex patchwork of security regulations is within the United States, so we’ll start there. For example, we looked at regulations that include language similar to Massachusetts regulation 201 CMR 17:
Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program.1
Some of the most populous U.S. states have similar laws, such as New York’s SHIELD Act2 and the California Consumer Privacy Act.3 These requirements aren’t only in the United States. We also looked at the E.U.’s General Data Protection Regulation (GDPR).4 Together, these laws lay out a duty to protect residents’ personal information by spelling out specific requirements and controls. Added up, these form the minimum security standards that nearly every organization should adopt.
We didn’t include requirements imposed by specific industries, such as banking or health care, nor did we include contractual obligations such as the Payment Card Industry Data Security Standard (PCI DSS). We also purposely omitted security requirements for all U.S. publicly traded companies that are covered by the protection requirements of the Sarbanes-Oxley Act.
One thing that pervades all the general security obligations, in both government regulation and civil liability law, is an expectation of “reasonable protections.” These are the things that everybody does or is expected to do as a normal course of business, for example, the use of fire exits in a building or the obligation to clean up slippery hazards at a business site. The reasonable protections for cybersecurity are arguably the same as universal legal security regulations.
Organizations that neglect these most basic security regulations can find themselves in serious hot water with their customers, partners, and company owners. Companies cannot escape the obligation to protect people’s private information.
Based on all of this, we’ve come up with the five minimum practices that every organization should adopt.
1. Designate Someone in Charge of Cybersecurity
It is a truth universally acknowledged that a single organization in possession of computers must be in want of a CISO. That is to say, every cybersecurity regulation includes a requirement, either directly or indirectly, to assign cybersecurity authority and duties to a specific role, usually called the information security officer or data protection officer.
This role, whether part time or full time, needs to have the organizational support and resources to build, maintain, and update the cybersecurity program. This person is the primary contact point for cybersecurity matters, both internally and externally. This role also needs to have sufficient independence to ensure security and compliance requirements are not ignored in the face of business needs. This role raises issues and answers questions to senior leadership about cybersecurity risk.
2. Inventory Your Data, Equipment, and Processes
If you don’t know what you have and where it is, you can’t protect it. Indeed, many breaches involve leaks of confidential data accidently stored in email or improperly stored on lost laptops or backup tapes. Organizations must have a process to identify and catalog their key operational processes and critical data.
Consider the types of data that a typical organization maintains and what could happen if that information were lost or stolen, for example, employee personal financial data in human resources and payroll systems. Indeed, employee records must be protected per U.S. Occupational Safety and Health Administration regulations.5 Cybercriminals often target this data for fraud, so it must be tracked and protected. Then consider the company financial system itself, including bank access codes and signatures that control money transfer and disbursement. These are also directly targeted.
Even if you don’t store customer payment card information (and if you do, you fall under the PCI DSS requirements), your customers may still share other information with you. Any kind of customer information, from usernames and passwords to contact information, is a potential target for data thieves.
Once your organization has a clear idea of what it holds and where, you can perform a risk analysis.
3. Perform Regular Risk Assessments
Nearly every cybersecurity requirement is risk-based and, subsequently, requires organizations to identify the foreseeable threats that are likely to disrupt key assets and expose private data. These threats can be external, such as cyberattackers or natural disasters, or internal, such as malicious insiders or careless users. These risks can be technological, like getting infected by malware, or physical, like forgetting to erase discarded hard drives. Assess risks at least once a year as well as when major business or technological changes occur. A good example is performing an assessment to look at the risks of moving the organization to the cloud. The risk assessment should be as formal as possible, which means employing a repeatable process that produces documentation. If a security incident occurs, attorneys and regulators will likely scrutinize your risk-assessment records.
A key part of the risk-assessment process that many cybersecurity regulations explicitly call out is looking at supplier, partner, and service provider security. Third-party risk is a significant cause of breaches and therefore must be accounted for in an organization’s security plan.
4. Implement Risk-Reducing Controls
The implication of performing a risk assessment is, now that you know potential trouble spots, you are obligated to do something to prevent it. This is the heart of the “reasonable security” concept. The things you do to reduce these risks are called controls, and they come in three major categories.
Minimum Administrative Controls
Administrative controls are about managing humans, which in this context includes users and the technical team. Every security regulation mentions some form of security awareness training. This training, usually overseen by the security lead, should include informing users of the major risks, such as phishing and malware, as well as the specific security rules they must follow, such as not storing confidential data on personal equipment.
Cybersecurity requirements also note enforcing penalties on those who violate security rules. These can be as severe as termination or as basic as compelling additional security awareness training.
Another common administrative control is new-hire personnel screening, which can range from simply verifying someone’s identity and qualifications to performing a criminal background check.
Lastly, one of the key basic administrative controls is user provisioning and termination. This means setting up new users with only the security privileges they require to do their job. More importantly, user accounts must be immediately suspended upon leaving the organization. Surprisingly, this control is often deferred or performed haphazardly, leading to humiliating data breaches from obvious missteps. Careless user provisioning is one of the most common audit failures—this rookie mistake happens to both established security programs and new ones.
Minimum Technical Controls
When you’re worried about IT risk, it makes sense to look for IT controls to help. The most obvious and simple control here is authentication, beginning with passwords. Since password attacks are the most common cause of breaches, it is a good idea to thoroughly define your access control strategy. A good place to start is considering the use of multifactor authentication. If you can’t swing multifactor authentication quite yet, you can still gain a lot in preventing credential stuffing by ensuring that passwords are unique, that is, not reused from other sites.
Another “must have” technical control is some kind of Internet filter, meaning a firewall. A wide variety of firewalls are available, some even for free, that can offer different capabilities and levels of protection. The thing with firewalls is that they must be configured properly to keep attackers out while still letting customers in. Firewalls must also be maintained with periodic patches and configuration reviews to ensure they’re working properly.
If users are working remotely, and most of them are nowadays, then your organization needs to set up a secure method for remote access. Most cybersecurity regulations require the use of encryption when transmitting confidential data across public networks. This means using a virtual private network (VPN), which encrypts remote worker traffic back to your organization’s systems. As with any technical controls, carefully plan VPN deployments with consideration for network design, authentication method, and bandwidth requirements.
Although not always specifically called out in cybersecurity regulations, antivirus protection is heavily implied. Sometimes it is phrased like "system security agent software which must include malware protection,” which is a way of covering a wide variety of malware controls. However, given that antivirus software has been around for over 30 years6 and is available on nearly every computing platform, it’s easily considered a “reasonable security” measure. It’s also what my old mentor referred to as “something you need to do so you don’t look stupid.”
Minimum Physical Controls
Because physical security controls don’t involve computers, they are often overlooked. However, this is as simple as locking up computing equipment and media. One of the most common forms of data breach involves stolen or lost laptops, often from parked cars. This risk is easily addressed with full-disk encryption. Nearly every cybersecurity regulation includes portable-device encryption, which luckily is built into all contemporary operating systems.
Any equipment that is retired, donated, or otherwise disposed of should also have its storage systems rendered unreadable to ensure no confidential data remains on the device once it is out of the organization’s hands. As any tech person will tell you, deleted data can often be restored, so it’s better to be safe than sorry and thoroughly erase or destroy the drives. Organizations should also be aware that modern copiers and printers can also retain traces of previously scanned or printed images locally on internal drives.
5. Incorporate Cybersecurity into Operational Processes
Many cybersecurity processes fall outside the security team’s direct purview, such as personnel screening, which is often handled by human resources. Another area is IT operational processes, which directly and significantly affect an organization’s cybersecurity posture.
One of the most basic and powerful IT operational processes for cybersecurity is hardening and patching systems. Luckily, this entails two straightforward practices: removing or changing preset default credentials and promptly applying critical security patches.
Organizations need to also monitor systems and networks for drift from expected norms as well as unexpected or malicious activity. A popular method for keeping an eye on security configurations and patch levels is performing periodic vulnerability scans on both the Internet perimeter and key internal systems. These scans have the advantage of fulfilling another basic compliance requirement: testing and evaluating the effectiveness of technical security measures.
F5 Labs often speaks of the assume breach philosophy, meaning that you should prepare for the inevitability of a security incident. Every cybersecurity requirement includes a provision for timely reporting to authorities and victims in the event of a data breach. To be able to do this, organizations must have processes in place to detect, respond to, and document security incidents that involve private personal data. Having adequate backup and restoration procedures in place is also one of those implied “reasonable security” requirements.
Lastly, organizations need to ensure that any third-party providers are also following minimum cybersecurity processes. Sometimes this is done as an audit of the third-party, or it can take the form of contractual obligations to maintain security measures.
Although this is a small list of basic security measures, it’s surprising that some organizations don’t meet even this low standard, or are even aware of it. Remember, this is just the foundational security requirements. If you want to go deeper (and you should), review our recommended security controls for 2020.