A Cybersecurity Checklist

There are plenty of resources on cybersecurity. Some are based on existing frameworks, but much is still under development. Regardless of framework, the best protection against a cybersecurity threat is action.

The following checklist gives a brief overview of some of the actions a well-prepared organization has or will commit to implementing as part of being cyber safe. It should start to arm you and your organization with the tools you need to identify, protect, detect, respond, and recover if and when disaster strikes.1

Identifying Threats

• Insurance including retroactive coverage for malware that may have been in your system for years
• Scrutiny of everyone in the supply chain who may infect your system
• Contracts with provisions for your inspection and verification of security systems and cancellation if security is not up to par
• Asymmetrical systems protecting the most valuable assets with encryption and “remote wipe” capabilities to protect the confidentiality, integrity and availability of data
• Backup systems with different passwords
• Data stored offsite
• Only the right people have the right access
• Active scanning of all devices regularly
• Regular reviews of the latest security updates and bulletins from suppliers and manufacturers
• Regular threat monitoring using reporting and/or detection solutions
• Human oversight from a qualified cybersecurity professional

Protecting People and Systems

• Corporate WiFi networks are independent of those dedicated for use by guests
• Security requirements are specifically tailored to meet the legislative requirement(s) of the jurisdiction
• Ban and disable discs and USBs, and/or scan and encrypt
• Robust connection for remote desktop access
• Minimal personal Internet surfing or banking
• Browsers are wiped after use
• No use of pop-up windows, no clicking on tempting emails, no auto-run on computer
• Employee communication to illustrate danger in all these areas, including picking up promotional USBs and using them
• No use of free downloads or generic software from disreputable sources
• Report malware — no penalty for employees who report accidental downloads
• Uninterrupted power supply
• Screen screens, or tilt screens away from windows
• Challenge visitors (nicely)
• Visible ID, entry logs, cameras, lock drawers, tidy up, and lock up at end of day
• Monitoring odd behaviour — off-hour work, depression, money troubles
• Account for all users
• Corporate directory of approved and validated users (including outside vendors, contractors, and consultants)
• Different security permissions and requirements, not based on individual users, but on work groups, divisions and need for access
• Not all employees have or need access to everything
• Data is encrypted during transmission and while at rest
• Access control systems are configured to require both tap and number entry for access to the complex

Detecting and Responding to Threats

• Scanning of networks and lost devices
• Scanning of network or system use by former employees
• Scanning of access during unusual hours or for unusual purposes
• Known malware is blacklisted using your firewall
• Network segmentation with asymmetrical security and separate firewalls
• Eliminate devices which are not updated or patched
• Eliminate software which is not current and supportable
• Use non-English language passwords of at least 8 characters with caps, numbers, and such
• Schedule a change of passwords using complex characters
• Determine the facts
• What is the cause of the crisis and what will be the public perceptions? Many events are surrogates for other issues
• Identify who will frame the issue — regulators, legislators, customers, shareholders, other stakeholders or you
• Determine what will this morph into in the days or weeks ahead
• You may handle the event well, but not the inquiry or testimony at legislatures, or eventual court cases
• Inquiries go up and back; this means as high up the chain of command as possible and as far back as possible
• Act fast but be sure of actions and information
• Apologize but do not admit liability
• If the liability is completely obvious, don’t look foolish by talking around it
• Don’t blame anybody for anything
• Don’t try to sell product or overtly enhance reputation
• The court case may go on for years, long after the event is forgotten
• Check if staff may be keeping details from you, to help avoid confrontation or recrimination
• Supply most employees with communications devices and technology
• Subscribes to a Mobile Device Management (MDM) solution
• Make remote wipe an option if employees use their own devices (not recommended but sometimes unavoidable)
• Introduce more robust security measures, including not allowing family and friends to use the device
• Conduct simulations on a regular basis, without warning or advance notice
• Put your organization’s media and stakeholder engagement strategy into action, providing the most up-to-date information

Recovering from Disaster

• Have failover protection in place, to help ensure data is still available for use from another location
• Enact the organization’s media and stakeholder engagement strategy
• Provide information to those directly and indirectly impacted

1. The United States Government’s Computer Emergency Readiness Team (CERT) has developed its cybersecurity framework function areas. The framework is based on the following five primary function areas: identify, protect, detect, respond, and recover.

For more on this, check out my book "Cyber City Safe".

Available at www.allanbonner.com