Building a Strong Cybersecurity Baseline
What are the benefits of maintaining a strong cybersecurity baseline?
Important data is worth protecting – most companies have private or protected data that shouldn’t be made public. A strong cybersecurity program safeguards this sensitive information by protecting the company from hackers.
Strong cybersecurity reduces the risk that you’ll become subject to paying government fines or ransomware payments – depending on your industry and region, you may be subject to legal repercussions if you experience a data breach due to non-compliance. Cybersecurity incidents also often cause direct financial losses through theft, ransomware, or operational disruption.
Getting hacked can ruin your brand reputation, even if you aren’t a technology company – data breaches can cause significant reputational damage that customers remember for years, especially if they’ve been personally impacted or their personal information has been compromised. This damage can become more costly in the long run than the immediate financial impact of the breach.
A comprehensive cybersecurity plan reduces disruption in the event of an attack – by taking measures to ensure business continuity if you are hacked, you can minimize downtime and potential revenue loss.
Developing a Cybersecurity Program
Who should own your cybersecurity program?
If you don’t have a CIO, IT should own cybersecurity with input from Legal – companies with annual revenue of up to $50MM typically have an IT leader (VP or Director of IT) who’s responsible for data security and partnering with the company’s legal counsel to manage cybersecurity risk.
Day-to-day cybersecurity activities are usually outsourced – don’t take full cybersecurity operations in-house unless you need to. While IT is responsible for cybersecurity, most companies lack the resources to do all cybersecurity activities themselves. Instead, they outsource to Master Security Service Providers (MSSPs) who can run as many components of a security program as needed.
Less sophisticated/ technical companies (e.g., retail outlets) can get by with a lean team – hire 1 employee who’s well-versed in cybersecurity and outsource the rest of the work to an MSSP.
Technology companies need more robust internal cyber expertise – they are typically subject to ISO certifications, SOC certifications, and/or GRC compliance requirements. Hire a cybersecurity expert to ensure you’re meeting your audit requirements and are legally eligible to conduct business. Only hire a full cybersecurity team if your needs are extensive enough to require more complex full-time support.
What are the basic elements of a cybersecurity program that all companies should have in place?
| Element | What it is | ||
| Enterprise Content Management (ECM) System | Central repository for storing and securing all unstructured data such as presentations, emails, and documents (e.g., OneDrive, DropBox, File Share). All competent ECMs use encryption. | ||
| Email Gateway | Monitors incoming and outcoming emails for potential threats. Most Microsoft products provide built-in email gateways, but you can add additional security layers. | ||
| Antivirus (AV) or Endpoint Detection and Response (EDR) | Individual protection for every machine in your organization. This is necessary because you never know what people are clicking on—especially if employees are allowed to take their machines home with them. | ||
| Multi-Factor Authentication (MFA) and Single Sign-On (SSO) | An extra layer of security by adding another verification step to user logins. Second factor authentication shouldn’t be considered optional. You usually need to source these elements from outside of your platform. | ||
| Phishing Prevention | Regular training and testing of employees to mitigate risk from employees themselves. 95% of all data exfiltration, hacks, and ransomware starts with somebody clicking on something they shouldn’t. | ||
| Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) | Automation tools that help manage security incidents and orchestrate responses when problems arise. | ||
| Cloud Access Security Broker (CASB) | Monitors cloud service usage and can detect unusual activity, such as impossible login locations or excessive data downloads. By ensuring that the right people have access to the right things, this tool can identify and flag suspicious incidents. | ||
How can small to medium-sized businesses balance the costs of implementing a robust cybersecurity program with their limited resources?
MSSPs offer a wide range of relatively affordable services that can meet almost any cybersecurity needs – until you have 1,000s of employees and hit an ARR of $500+ MM, it rarely makes sense to take security in house. Instead, use MSSPs to make sure you’re getting the protection you need without overinvesting in building security strategies from scratch.
| Range of cybersecurity solutions | |||||
| Bare minimum MSSP package | Robust MSSP package | Full in-house cybersecurity team | |||
| •Alerts for viruses • Help center monitoring red flags • Managed by VP of IT | •Full-fledged cybersecurity services • Managed by junior level security engineer or compliance expert | • 3+ full-time security engineers whose salaries start at $150-200k • Lead who manages your internal security team • Security tools | |||
| $100s per month | $100,000s per month | $100,000s per month (often more expensive and complicated than MSSP) | |||
Outsource playbook-friendly activities to your MSSP but keep non-threatening and one-off activities in-house – MSSPs excel at handling routine, well-scoped activities that can be clearly defined by a set of rules. They also leverage teams of highly qualified security engineers to handle urgent and threatening issues that might pop up. However, non-time-critical and non-threatening tasks like tuning email gateways, routine management of content management systems, managing MFA rules, and managing small exceptions should be kept in-house.
How do you drive a culture of cyber awareness in your company?
Make security practices a normal operating procedure – the best security programs are ones that nobody notices. MFA should be a subconscious part of your team’s daily routines, and your other security tools should make data security best practices as intuitive as possible.
Provide employees the training and education to support your program – regularly provide educational and training modules for the entire company to ensure that all new employees understand how to protect the organization (and to help existing employees stay up-to-date). Don’t assume that someone knows how to identify a potential vulnerability just because it seems obvious to you.
Have clear executive responsibility for cybersecurity – your company should have a visible champion for your cybersecurity initiatives. Make employees feel as comfortable as possible when it comes to flagging suspicious activity, asking questions, or admitting they don’t know something. If your team knows that cybersecurity is a priority, they can help support it.
What is a cyber risk assessment? How do you conduct a risk assessment?
Risk assessments compare how you protect your data with what you should be doing to protect it – the goal of a cyber risk assessment is to make sure you aren’t exposing yourself to any unnecessary risk from a data, compliance, or operational perspective. If you overbuild your solution, you cause more operational friction and drive unnecessary cost into the business. If you underbuild your solution, you put the business itself at risk.
| Steps for conducting a risk assessment | |||
| 1. Identify the types of assets and information that a company uses | |||
| 2. Create an inventory of all company data, where it is stored, and how valuable each type of data is | |||
| 3. Categorize that data in terms of its | |||
| 4. Compare those data categories to the compliance requirements specific to the company’s type of business in order to identify the frameworks the business might be required to meet for compliance purposes. | |||
| 5. Choose the “least common denominator” standard that the company must comply with, and use it as a framework to start building out your security program |
Baseline cybersecurity programs vary greatly across industries and geographies – while a set range of tools and certifications come into play, the framework you should implement depends entirely upon your specific situation. The most important thing you can do from a generalist perspective is consult with an expert who can make you aware of the breadth of requirements your business might face—and be willing to meet those requirements.
What are the different kinds of cyber frameworks that you might apply to your
| Common Cyber Frameworks that you might apply | ||||
| General frameworks | SOC-2 – a voluntary compliance standard developed by the AICPA for organizations that specifies how companies should secure customer data based on five “trust service criteria.” | |||
| ISO-27001 – An international standard that provides requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). | ||||
| Industry-specific | HIPAA – U.S. federal law requires healthcare providers, insurers, and their business associates to protect patients’ sensitive health information. | |||
| FedRAMP – U.S. government program that provides a standardized security assessment approach for cloud services used by federal agencies. | ||||
| Geography-specific | GDPR – European Union regulation that sets strict requirements for how organizations must handle personal data of EU residents. | |||
| CCPA – California state law giving residents rights over their personal information and requiring businesses to disclose how they collect, share, and use consumer data. | ||||
Cyber Around M&A
Why is it important to evaluate cybersecurity as part of M&A diligence?
Lack of cybersecurity diligence allows hackers to identify valuable targets and exploit VC/PE investment – most buyers and sellers fail to conduct any cybersecurity assessment during the due diligence process—which is likely why 22% of all companies that undergo a merger, acquisition, divestiture, or carveout will be hacked within 6 months of the transaction. Hackers identify targets that are going through a sale (these targets often release “tempting” data about their revenue and multiple), infiltrate those companies’ networks, and wait for the transaction to be completed before executing their attacks and increasing the ransomware fees according to the VC’s or PE’s higher ability to pay. In addition to holding your data for ransom, hackers can sell your data on the dark web.
Cybersecurity costs aren’t accurately factored into value creation plans – if you don’t conduct robust cybersecurity due diligence, you can’t gauge the level of risk you’re exposing yourself to if the above scenario takes place, and you can’t account for the level of investment that will be required to bring your acquisition’s cybersecurity up to standard in the future.
Cybersecurity breaches can tank transactions before they occur – 15-17% of all PE or VC-type transactions are tanked at the last minute due to a cybersecurity breach on the seller side. It is in the seller’s best interest to make sure they aren’t exposing themselves to unnecessary risk that could derail their business as well as the success of the transaction.
How should you approach cybersecurity diligence in M&A transactions?
| Step | Questions to ask | |||
| 1. Identify anyone with “elevator privileges” – by identifying anyone in your network who has the potential to “do damage” to the company, you can ensure that everyone in your network is supposed to be there. For example, someone could move an entire database in a matter of seconds if they have the right privileges. Once you determine who needs what access, you should tie specific privileges to specific people and remove any duplicates in the system. | • Who has elevator privileges? • What is the minimum level of permissions each individual needs to do their job? • Is there anyone who shouldn’t be here, or who has more clearance than they need? Are there any duplicates? | |||
| 2. Conduct internal, external, and physical penetration tests – 60% of data exfiltrations come from employees. By understanding how easy it is for people to get into your company’s systems or remove data from your networks or databases, you can understand what needs to be done to mitigate those risks. It can also be worthwhile to conduct physical penetration tests to determine whether someone could walk into your office, log onto your network, and access data that way. | • How easy is it to get into your company from the outside? • How easy is it to get data out from the inside? | |||
| 3. Conduct ransomware susceptibility analysis – each type of ransomware tries to exploit a different weakness in your security posture. Look at your network and identify what you’re specifically susceptible to, and make adjustments accordingly. | • What types of ransomware are you susceptible to? • What changes do you need to make to prevent this kind of ransomware attack in the future? | |||
Risk assessment reports provide IT and financial analyses of your cybersecurity position – the deliverable of a risk assessment will demonstrate the project’s findings in IT language that your VP of IT (or relevant cybersecurity leader) will be able to act on. It should also translate the technical implications of the report’s findings into a list of recommendations and a clear estimate of what it would cost to implement and the financial risk you’re currently exposed to.
Cybersecurity diligence can provide an advantage to both the seller and the buyer – the cost and risk implications of a risk assessment can provide PEs or VCs leverage to reduce the price of a deal. On the other hand, proactive sellers who address potential cybersecurity risks before seeking investment can use their stronger security position as an advantage.
Governance
What governance practices do you need to have in place?
Governance encompasses the operational considerations of your security and defense in-depth programs – the goal here is to mitigate the operational risk that any sort of security threat or obstacle can pose to your business. If you have a Risk Mitigation department, they should be involved in governance. Otherwise, the Chief Information Security Officer (CISO) or IT-and-Legal partnership is responsible for your governance strategy with regards to disaster recovery and business continuity.
There are two main governance practices to institute:
1. Disaster recovery (DR) is an invaluable “get out of jail card” for ransomware attacks – DR is about the “bits and bytes” of how you get your data back if you need to recover it. Having a DR plan and strong encryption undermines a hacker’s ability to hold your data for ransom because you can use your backup instead of paying a hacker millions of dollars. Strong DR plans minimize your Mean Time to Recovery (MTTR), allowing you to rebuild and reconstruct everything your company needs to operate as quickly as possible.
2. Business continuity (BC) goes beyond cybersecurity to encompass any operational strategy that will keep the business running during an emergency – BC ensures that you have a plan for how to continue operating if anything threatens the normal operations of your business—and that you also have a clear recovery plan that will help you transition back to normal operations once BC has allowed you to stabilize the business. The entire leadership team should align on BC plans to ensure that all departments and leads are clear on what needs to happen in case of an emergency.
Overall
What are the most important things to get right?
“Defense in depth” strategies provide better, more workable solutions than an overreliance on tools – your cybersecurity solutions should create a balance of different overlapping protections that complement each other. You could compare “defense in depth” to lasagna; too much of any one layer ruins the overall recipe, but the perfect combination of ingredients combines to make something that works better together.
“Bake it in, don’t spray it on” – cybersecurity shouldn’t be an afterthought when you’re building out your IT infrastructure. Instead, you should start with a strong security posture in mind. To return to the lasagna analogy, if you don’t read the recipe before you choose and combine your ingredients, the elements of a lasagna will still be there, but it won’t be nearly as good.
Strategic solutions are more effective than tool-heavy solutions – don’t throw tools (and unnecessary money) at a security problem to fix it; you can have an excellent security program with a minimal set of tools. Many companies think that having “extra” solutions means they’re safer, but they aren’t. Having two email gateways instead of one doesn’t improve your cybersecurity. Instead, it annoys your workforce, decreasing productivity, increases cost, and increases the likelihood that employees miss something that is actually important from a security standpoint because they’re constantly inundated with unnecessary CTAs while working.
What are common pitfalls?
Overcomplicating multi-factor authentication can cause problems instead of solving them – if you have multiple platforms and each platform does its own SSO or multi-factor authentication, users will become frustrated because they’re re-authenticating themselves every 5 minutes. A good security system should feel streamlined and easy for people to use; it shouldn’t feel like a chore.
Neglecting user education – you might think it’s obvious that an email that “looks” like a CEO asking for a transfer of funds is suspicious. However, failing to train employees about phishing scams because they seem obvious is an easy way to ask for trouble. It’s better to cover your bases than to assume that your employees are as knowledgeable about cybersecurity as you are.
Underestimating the investment and complexity of bringing cybersecurity in-house – in nearly every scenario, even a 6-figure bill from an MSSP would be more affordable than handling your own cybersecurity. Very few companies make it to the stage where it makes sense to go in-house.
Responses