Alike any journey which, as long as it might be, begins always with a first step, developing a good cybersecurity program, as complex as this might become, begins with a number of simple, basic actions. In fact, building the cyber resilience of a company is a real journey, starting from building a culture of awareness, going through adopting a mindset of resilience so that in the end, besides having in place a business continuity plan, a disaster recovery or incident response, but also practice it on a regular basis so that it becomes a "second nature".

According to a recent article published by the Zurich Insurance Group, the five basic steps to begin building a robust cyber security system are:

1. Take a complete and accurate inventory of your IT assets.
2. Have a vulnerability management and patching program tied to your inventory of assets.
3. Conduct an awareness and training program for all users.
4. Continuously monitor information assets.
5. Plan for incident response.

Having a complete inventory of your information assets is the mandatory starting point for any cybersecurity program. In other words, this means having a fair image of the territory to defend, a complete "map" of your network, devices connected to it, as well as software items operating on it - applications, operating systems, data storage systems etc.

Once the "territory" is known, identifying its vulnerabilities - the points through witch hackers may access the system, take control of a device, establish a network presence, and eventually find their way to other valuable assets on the network - is the second "must" in the process. "Run automated vulnerability scans of the entire network at least monthly, preferably more frequently. Review the vulnerability reports and apply the recommended patches as quickly as possible," advices Zurich Insurance.

Yet more than devices, the network's users may be the greatest vulnerability of the system. Targeted by hackers via phishing or social engineering scams, they may unwillingly reveal valuable information or provide an "access key" to the system. Therefore, educating the company's staff for cyber security, as well as enforcing a set of use policy rules and principles, although time consuming and sometimes challenging, may prove of paramount importance.

Of course, only continuous security monitoring of all devices' activity will allow timely identification of possible threats. In house-built solutions, outsourced monitoring services or similar services provided by the insurer will allow aggregating, correlating and inquiring on log data, thus identifying hacking attempts and issuing alerts.

However, no matter how good the monitoring system in place is and how prompt the network administrator or security official's reaction is, some breaches may occur. In such instances, a well-designed action plan should exist, providing for detailed instructions on the tasks to perform according to different scenarios. Moreover, such a plan should be well-rehearsed and tested, to allow corrections and fine-tuning of the different actions that should be undertaken in case of cyber-attack.


Source: Global Risks 2019 Deep Dive on Cyber Risks, Zurich Insurance Group, Fresh Insights, March 2019 Edition 58