Authors
Read time: 6 minutes
A robust cybersecurity action plan can help a company avoid millions of dollars in potential losses, preserve its reputation amongst customers and clients, ensure it remains in legal compliance and mitigate damage should a breach occur. As such, it is critical for businesses both large and small to employ a comprehensive cybersecurity action plan to protect against data breach attempts and cyberattacks.
Preventing an attack
Why a cybersecurity action plan is essential
According to IBM’s 2022 data breach report, the average total cost of a data breach worldwide was $4.35 million, a 2.6% increase in costs from 2021. Strikingly, the average cost of a data breach in 2022 in the United States was $9.44 million as compared to $5.05 million in the United Kingdom—both landing themselves in the top five countries with the highest average data breach costs. Yet, companies reduced their loss by $2.66 million, on average, when they had an incident response team and a regularly tested plan.
When considering whether to create a cybersecurity action plan, it is important to consider the litigation costs that could follow a cyberattack. Because federal agencies and private citizens have a right of action against companies facing a data breach, maintaining cybersecurity hygiene is critical to a company’s financial health, longevity and reputation.
How to create your cybersecurity action plan
There is no one-size-fits-all cybersecurity action plan. This non-exhaustive guide provides best practices for establishing offensive and defensive strategies against cyber threats. The National Institute of Standards and Technology (NIST) framework helps companies to implement and maintain healthy cybersecurity practices. The pillars of the NIST framework, outlined below, provide a helpful starting point from which you can develop and individualize your own cybersecurity action plan.
Step one: Identify
The first step is to identify any laws applicable to your cyber activities. Once identified, you then need to understand what the laws and regulations that govern your industry and region require, to ensure that your plan complies with all legal bases. With the rise in cybersecurity breaches, governments have passed extensive legislation governing companies’ obligations in data security. Although many organizations have now familiarized themselves with the General Data Protection Regulation (GDPR), legislatures are continuing to pass broad cybersecurity laws, some of which are industry and/or region specific.
In conjunction with identifying and understanding legal requirements that apply to your business, you should identify the data, digital assets, programs and applications your company employs to determine what procedures are needed to address the risk of a breach. This includes understanding where your data comes from and goes to, the types of data you process, how you store data, who has access to data and how data moves throughout your organization. Be cognizant of the various applications and programs used by your business, particularly during the flux of remote work, as third-party applications can lead to additional security-threat exposure.
Finally, you should familiarize yourself with the various types of cyber threats to understand your vulnerabilities and ensure your preparedness against a variety of attacks. Common types of cyberattacks include malware, phishing, man-in-the-middle attacks, denial-of-service attacks and domain name system tunneling.
Step two: Protect and detect
The second step is to implement robust cybersecurity protections and policies. These can include limiting access to personal data, providing employees with awareness and training on common cybersecurity threats and reporting responsibilities and maintaining strong data protection policies. Some common baseline security measures that should be implemented include limiting and providing secure remote access (for example, via VPN); enforcing two-step login; obtaining secure Wi-Fi; establishing a clean desk policy; implementing firewalls, spam and phishing filters and data encryptions; and restricting internet browsing.
It is recommended that you establish a cybersecurity management and response team, one that would include the CIO, IT representatives, legal counsel, outside vendors (such as a forensics team), outside counsel and fraud and credit monitoring services. It also helps to build relationships with local law enforcement and understand whom you should contact if a breach occurs. This team can create methods of detecting anomalies in cyber activity, such as setting up systems that can detect malicious code and unauthorized systems, completing vulnerability scans and creating other alert systems that can notify the appropriate personnel of potential bad actors.
Additionally, obtaining cybersecurity insurance can help mitigate the company’s losses should it experience a cyberattack. The Federal Trade Commission (FTC) suggests ensuring that your cybersecurity insurance provides coverage for data breaches and cyberattacks on data held by you, as well as that held by third parties. It is also recommended to obtain first-party insurance for business costs relating to legal counsel, replacement and recovery of data, customer notification, business interruption, crisis management, cyber extortion, forensic services and fines and penalties, as well as third-party coverages for customer payments, litigation, judgment, settlement expenses and accounting costs. Keep in mind that insurers may increase premiums for or even decline to insure businesses with inadequate cybersecurity protections in place. Consult your broker or coverage counsel to determine the best policy for your company and analyze any endorsements regarding failure to take reasonable security measures.
Step three: Respond
The third step is to put procedures in place to adequately respond to cyberattacks. The FTC suggests securing the physical systems related to the breach, mobilizing the data response team, identifying a data forensic team and consulting with legal counsel.
Depending on where your organization is located and the business it conducts, there are likely various disclosure requirements mandated by law. All U.S. states and the European Union have reporting requirements following a cybersecurity breach. Companies are usually required to inform individuals whose personal information has been breached and report to state regulators within a prescribed period. For instance, California businesses must disclose security breaches to individuals whose unencrypted personal information has been accessed “without unreasonable delay.” Understanding your reporting requirements ensures you report a breach to the correct individuals and avoid increased fines.
Step four: Recover
The last step in your action plan is to have processes in place to confidently and efficiently recover from a cyberattack. This includes re-evaluating relationships with third-party vendors, working with forensic experts to assess weaknesses in current operations and reassessing the cybersecurity action plan you have in place.
Looking ahead
With the growth of data security threats and new vulnerabilities imposed by remote work, companies must implement appropriate data security practices that fit their needs. Avoid common pitfalls by tailoring your cybersecurity action plan to the company’s needs, testing the action plan frequently and keeping a line of communication open when a breach occurs. For further guidance, see (1) NIST’s Cybersecurity Framework, (2) the National Initiative for Cybersecurity Education, (3) documents published by the DHS Science and Technology Directorate and (4) the Center for Internet Security.