Six Steps to Help Leaders Achieve A Good Standard Of Cybersecurity

As businesses automate operations and interact digitally with employees, customers, partners and suppliers, the threat of cyberattacks and breaches becomes deeply concerning. Unfortunately, 85% of businesses still lack an adequate level of cyber readiness.

Here are six best practices to help businesses boost their cybersecurity standards and defenses:

1. Adopt a ready-made framework of security controls.

Leveraging security governance frameworks like the NIST SP 800-53B, the ISO/IEC 27002:2022 or the ISF SOGP, developed by my nonprofit association, enables organizations to identify the various types and levels of risks, map out existing controls and processes, determine risk tolerance, and provide assurance to stakeholders that information risks are being adequately addressed.

Moreover, these frameworks provide extensive coverage and advice on a broad range of security topics, such as security strategy, threat intelligence, incident management, crisis management, business continuity and cyber resilience, which can help organizations improve defenses against a broad range of threats while aligning security strategy with business strategy.

2. Assess information risk and deliver comprehensive, consistent protection.

Information risk assessments should be performed for target environments (e.g., critical business environments, processes and applications), including those under development. Supporting technical infrastructure on a regular basis helps organizations gain deeper insight and understanding of their environment as well as their own risk and security posture.

It is advisable to perform a risk assessment when undertaking major business changes such as new ventures, business systems transformation projects, mergers and acquisitions, introducing new technologies such as Internet of Things (IoT), Near Field Communication (NFC) or software-defined networking (SDN)) or permitting access to the organization’s business applications and systems by third parties and remote employees.

3. Manage supply chains with a risk‑based approach to information security.

Supply chain attacks have tripled in the last twelve months and it’s a vector that’s increasingly used by cybercriminals to infiltrate organizations. It’s important that information risks are assessed, identified and managed effectively throughout all stages of the relationship with external suppliers. Supplier reviews should cover a wide range of suppliers, particularly those that provide hardware (endpoint and mobile devices), software (operating systems, business applications and security solutions), network devices (routers, switches and firewalls), specialist equipment (heating, ventilation and air conditioning), physical access control and surveillance and self-service terminals, office equipment, cloud services (Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service), utilities (electricity, gas and water), and outsourced arrangements (call centers, data processors and cleaning services).