The ultimate guide to cybersecurity planning for businesses

What is cybersecurity?

At heart, cybersecurity is the process of protecting IT networks, systems, applications and data from attacks, intrusions and other cyberthreats. Those threats mostly come from external attackers, but some cybersecurity incidents involve employees and other insiders who may act maliciously or inadvertently cause security problems. In its most recent annual report on data breaches in businesses, released in May 2020, Verizon said 30% of the 3,950 breaches it documented during 2019 involved internal actors.

Cybersecurity programs incorporate a variety of processes and tools designed to help organizations deter, detect and block threats. They're typically run by a cybersecurity department or team that's led by the CISO, the CSO or another senior executive. However, a maxim among security professionals is that everyone in an organization is responsible for information security.

That makes organization-wide cybersecurity awareness and employee training vital to successful programs, as explained in an article on building a cybersecurity culture in businesses by technology writer Mekhala Roy. Security teams "need to really look outward and not inward," said Candy Alexander, president of Information Systems Security Association (ISSA) International and CISO at NeuEon Inc.

Why is cybersecurity important in business?

Weak or faulty cybersecurity protections can result in serious business problems. Data breaches that gain access to customer records and other sensitive information are a high-profile consequence of network intrusions and attacks. Some prominent examples include a multiyear breach at Marriott International Inc. that exposed the personal data of 500 million customers; a 2017 breach at consumer credit rating agency Equifax that affected 147 million people in the U.S.; and two major breaches at Yahoo, one in 2014 involving records from 500 million user accounts and the other exposing all 3 billion accounts the company had when it occurred in 2013.

In addition to potential lost business because of bad publicity and damaged customer relationships, such breaches have a tangible financial impact. For example, Equifax in July 2019 agreed to pay up to $700 million in fines and restitution to victims of its breach as part of a settlement with U.S. agencies and state governments. Jamil Farshchi, who was hired as the company's CISO in the aftermath of the breach, said in a session during MIT Technology Review's CyberSecure virtual conference in December 2020 that Equifax has also spent $1.5 billion on cybersecurity improvements since the breach.

Other types of attacks directly aim to extract money from organizations. These can include ransomware programs, which attackers use to encrypt data files and then demand payments to decrypt them. Distributed denial-of-service (DDoS) attacks that shut down websites and other online systems are also used to try to get companies to pay money to the attackers. Overall, Verizon said in its May 2020 report that 86% of the confirmed 2019 cybersecurity incidents were financially motivated.

What are the business benefits of cybersecurity?

The biggest benefit that strong network security and other cybersecurity protections provide is the ability to avoid business problems. Organizations can continue to operate smoothly without any disruptions or financial hits from attacks enabled by lax cybersecurity. To help show business executives and board members how security initiatives contribute to that outcome, teams should track various metrics on cybersecurity, such as detected intrusion attempts, incident response times and performance comparisons against industry benchmarks.

Cybersecurity efforts can also pay off more broadly by helping companies achieve their strategic and operational goals. In another CyberSecure conference session, Michael Paisley, chief security and resilience officer at email security vendor Mimecast, said many cybersecurity teams think about their purpose "in terms of 'stop the breach.' But if you're doing that, you're not necessarily aligning yourself to the organizational objectives." Paisley added that having a "higher-quality conversation" with senior management and the board should be one of the priorities for CISOs and their teams.

What cybersecurity challenges do businesses face?

Cybersecurity is inherently challenging -- and even what appears to be a well-designed strategy can be undone by a single weak point. Another maxim among security professionals is that they need to stop all attacks to be successful, while attackers only need to break through an organization's defenses once. In trying to prevent that from happening, cybersecurity teams face a number of challenges:

• constantly evolving security threats and attack methods;
• increasing attack opportunities as data volumes, digital operations and remote work grow;
• new security needs driven by expanding use of the cloud and IoT;
• sophisticated and well-funded adversaries, including state-sponsored cybercrime efforts;
• the use of AI and machine learning technologies to automate attacks;
• budget, staffing and resource limitations;
• a shortage of workers with cybersecurity skills; and
• a lack of cybersecurity awareness among business users.

In an article on addressing top cybersecurity challenges, security author Michael Cobb cited "a growing chorus of warnings from cybersecurity experts that drastic changes need to be made" to cope with both current and future threats. That may require expensive investments in new tools and processes, Cobb said. But, he wrote, a strategy that doesn't fully commit resources to cybersecurity capabilities "is not just a risk; it's an existential risk -- one that imperils jobs, careers, customers and investors."

Another alternative is outsourcing cybersecurity operations to a managed security service provider (MSSP) in an effort to reduce costs and offload the challenges and complexities. In another article, technology writer Mary K. Pratt outlines 15 benefits of cybersecurity outsourcing, as well as potential drawbacks and best practices for working with an MSSP.

Cybersecurity systems and software

The cybersecurity technologies that Cobb said organizations should consider using to meet today's challenges of protecting networks and systems include the following:

• a zero-trust security framework that enforces strict authentication requirements on users and devices;
• multifactor authentication to verify users, which most commonly involves two-factor authentication approaches;
• tokenization of sensitive data to better protect it from being exposed if a breach occurs; and
• separate tools for endpoint management and protection, data loss prevention and user behavior monitoring.

That's in addition to widely used technologies such as antivirus software, firewalls, virtual private networks (VPNs) and tools that support access control, email filtering, data encryption, network security monitoring, intrusion prevention, vulnerability scanning, penetration testing and other cybersecurity functions. The available tools include a plethora of open source cybersecurity software options, five of which are highlighted in an article by Karen Scarfone, principal consultant at Scarfone Cybersecurity.

Programming languages are also important components of the cybersecurity toolkit. In an article on the value of coding for security pros, Mike Chapple, senior director of IT service delivery at the University of Notre Dame, details the potential cybersecurity uses of five popular programming languages and how to get started on learning them.

Types of cyber attacks

In addition to financial gains from stolen bank account and credit card numbers, ransom payments and intellectual property theft, cyber attacks may aim to disrupt the operations of targeted organizations or be a form of protest against government and corporate policies. One of the complicating factors in preventing cyber attacks is that there also are many different types of them to guard against.

In an article on the most damaging types of cyber attacks, Cobb explains these six common ones:

• Malware. Malicious software programs use social engineering tactics and other measures to fool users and evade security controls so they can install themselves surreptitiously on systems and devices. Examples include ransomware, Trojan horses and spyware.
• DDoS. These attacks seek to overwhelm targeted websites, servers and other systems with a flood of messages, connection requests or malformed packets. They can be used both for ransom demands and to disrupt business operations.
• Phishing. Usually done via email, phishing involves an attacker posing as a reputable person or entity to trick victims into disclosing valuable information. Spear phishing targets specific individuals or companies, while whaling goes after senior executives.
• SQL injection. This type of attack uses malicious SQL queries to target databases. In a SQL injection attack, a query can be written to create, modify or delete data in a database or to read and extract data.
• XSS. Cross-site scripting, known as XSS, injects malicious scripts and code into web applications and website content. It can be used to steal session cookies, spread malware, deface websites and phish for user credentials, among other things.
• Botnets. A botnet is a group of computers and devices that have been infected with malware and are controlled remotely by attackers. Common uses include email spamming, click fraud campaigns and generating traffic for DDoS attacks.

What are cybersecurity best practices for businesses?

Scarfone lists these six best practices for cybersecurity teams in an article that also includes tips for business users on how to avoid being victimized by attacks:

1. Update cybersecurity policies and practices as needed.
2. Require strong authentication methods for all users.
3. Refresh network security controls to keep them up to date.
4. Prepare for compromises and other security incidents.
5. Keep your knowledge of security topics and technologies current.
6. Improve security awareness among employees.

On the last item, Scarfone noted that security awareness programs often "are just an hour a year of sitting through the same presentation, plus an occasional email." That kind of box-checking exercise can be a waste of time, she warned. "What's needed is a broader cultural shift to understanding the importance of security and the need for everyone to do their part."

In a related article, Chapple provides more detailed tips on how to do cybersecurity training for employees. His advice includes keeping the training content and materials engaging, updating them to include new threats and operational requirements, using a variety of training formats and measuring the effectiveness of the training to evaluate whether it needs to be changed.

How can you develop a cybersecurity plan?

In his CyberSecure conference session, Equifax's Farshchi advocated a practical approach to cybersecurity and risk management that maps the primary threats an organization faces to a set of core controls intended to minimize the threats and provide the required defenses. "That allows you to come up with some reasonable risk decisions and scenarios," he said.

The planning process should start with a cybersecurity risk assessment that identifies key business objectives, essential IT assets for achieving those goals and potential cyber attacks -- as well as how likely the attacks are to occur and what kind of a business impact they could have. In an article, Cobb outlines the following five-step process to assess cybersecurity risks:

1. Scoping the assessment
2. Risk identification
3. Risk analysis
4. Risk evaluation and prioritization
5. Documentation of risk scenarios

Next, an organization can move on to developing a cybersecurity strategy, which Scarfone describes as a high-level plan for the next three to five years -- although, she wrote, "you'll almost certainly have to update your strategy sooner than three years from now." Scarfone specifies four strategy development steps: understanding the threat landscape, assessing your current and desired cybersecurity maturity levels, deciding what to do to improve cybersecurity and documenting the plans, policies, guidelines and procedures that are part of the strategy.

What is the future of cybersecurity in business?

One of the biggest trends affecting cybersecurity is the increase in remote work. That was already an issue before the COVID-19 pandemic, but the coronavirus outbreak has significantly increased the number of remote workers -- and exacerbated the cybersecurity risks posed by employees working from home. In September 2020, Gartner put securing remote workforces first on its Top 10 list of security projects to tackle (although it said the projects weren't listed in order of importance).

Get tips on how to manage cybersecurity for remote workers from Michael Cobb, including why organizations need technologies such as VPNs and software-defined perimeters, as well as security policies and training tailored to remote workers.

Other trends that are shaping future cybersecurity needs and challenges include the following items, as explained by Karen Scarfone:

• Increased security automation. While AI and machine learning can aid attackers, they can also be used to automate cybersecurity tasks. For example, AI tools can quickly detect potential threats in security event data and identify patterns of malicious activities that humans might not see.
• Zero-trust security adoption. Zero-trust principles assume that no users or devices should be considered trustworthy without verification. Implementing a zero-trust approach can reduce both the frequency and severity of cybersecurity incidents, along with other zero-trust benefits.
• Continued improvements in response capabilities. In particular, Scarfone cited the need for organizations to be prepared to respond to large-scale ransomware attacks so they have a strategy in place for handling such incidents before they occur.
• Recognizing supply chain security risks. The massive SolarWinds backdoor attack against government and enterprise networks discovered in December 2020 illustrates the potential cybersecurity risks that supply chains pose, a danger that calls out for improvements in security strategies and technologies.

Cybersecurity skills and career paths

According to a July 2020 research report published by TechTarget's ESG unit and ISSA International, 70% of 327 surveyed ISSA members said their organizations have been affected by the shortage of skilled cybersecurity professionals. Also, 45% of the respondents said the skills shortage has gotten worse in recent years, while just 7% thought things have improved.

That means there are lots of job opportunities for prospective cybersecurity workers. In an article based on input from a group of industry experts, technology writer Steve Zurier lists 10 key skills for cybersecurity professionals to possess -- a combination of technical and soft skills that organizations should look for in job candidates. Related articles detail common cybersecurity job interview questions and how to answer them, and outline a five-step career path in cybersecurity.

Cybersecurity certifications and online courses

Experienced cybersecurity professionals looking to advance their careers, and new workers hoping to get into the field, can bolster their skill sets and resumes by obtaining certifications offered by various industry groups and IT vendors. In another article, Zurier provides details on the top cybersecurity certifications that are available, including what they involve, how much they cost and the jobs they fit.

Online courses are another avenue for bolstering cybersecurity knowledge and skills. A large number of both free and paid courses are available. An article by Zurier contains information on useful cybersecurity online courses recommended by a panel of security pros, including courses offered by courseware providers, industry groups, academic institutions and U.S. federal agencies.