Part 3 of Cybera’s Introduction to Cybersecurity series
In our previous blog post, we talked about the importance of cybersecurity in the modern world, and the different kinds of “threats” and “attacks” institutions commonly face.
Today, we’ll review how best to understand your operational environment in order to determine your specific cybersecurity risks.
Knowledge is your best defense
A strong cybersecurity system has multiple layers of protection spread across computers, devices, networks, and programs. However, this system doesn’t rely solely on cyber defense technology; it also relies on people making smart cyber defense choices. And this goes beyond your infosec teams — your entire organization needs to be informed and aware of what is vulnerable, and how best to protect those critical assets.
Cybersecurity frameworks (CSFs) are great guides for what you need to consider as you look to secure your organization.
For example, the NIST CSF is organized into five key functions:
- Identify
- Protect
- Detect
- Respond
- Recover
The first functional area is identify. Before you can properly protect your organization, you need to know and understand what’s critical to your business. This includes:
- how data moves within and outside your organization,
- having complete inventories of your hardware and software assets, and
- knowing who performs and is responsible for process and procedures in your organization, and how risks are identified and managed.
It can be difficult to completely protect or detect possible cyber incidents on your assets if you haven’t identified all of them.
Elements to consider
The NIST CSF glossary lists the following elements to consider when developing an organizational understanding of your cybersecurity risk:
- Systems
- People
- Assets
- Data
- Capabilities
While you most likely have identified your most critical assets and major systems, there are other elements listed above that can easily be overlooked.
Additional things to consider with each element:
AREA | ITEMS TO CONSIDER | QUESTIONS TO ASK |
Systems | 3rd party risk | What is your risk exposure with your existing vendors / suppliers, and cloud services? |
External access | Have you catalogued all your internal and external access points? | |
Internal access | ||
People | Education / training | Have you educated *all* staff — not just IT workers — regarding cybersecurity best practices? |
Processes / procedures | What procedures and policies do you have in place (for example, for reporting suspicious emails)? | |
Assets | Inventory – hardware | How are you keeping an accurate inventory of your assets? (As these can often be entry points for malicious activity) |
Inventory – software | ||
Data | Information flows | Do you fully understand your information flows — including types and amounts of data — and are you able to flag anomalous data? |
What’s next?
Once you’ve identified and inventoried your organizational elements, the next challenge is to stay current with new threats.
We will discuss this in our next post, as well as how any unprotected areas (no matter how minor) can impact your overall cybersecurity operations.
Previous posts in Cybera’s Introduction to Cybersecurity series
Engage with us in cybersecurity discussions
Are there particular cybersecurity topics you’d like to chat with us about, or have us organize a community discussion about? Let us know via security@cybera.ca.