Does my industry have compliance requirements?
The first step to determine what your organization’s cybersecurity plan should encompass is to determine if your industry has specific compliance requirements. A great resource for guidance on this topic are industry specific trade associations or your business focused legal counsel. Even if your industry does not have compliance requirements, you may need to implement stringent cybersecurity practices. Organizations with compliance requirements such as NIST 800-171 are now asking their downstream partners about their cybersecurity efforts to protect their own interests. In the case of healthcare, “business associates” that provide a service to, or perform a certain function or activity for a covered entity, are required to be HIPAA compliant. Examples of business associates include lawyers, accountants, billing companies, and IT service providers.
Approach To Cybersecurity
If you have determined that specific compliance requirements exist for your organization, the governing framework will dictate the extent of cybersecurity controls and processes that need to be implemented. If your organization is not bound to a compliance requirement, the right level of protection is up for debate. Many organizations believe they are too small to be the target of a cyberattack. In most organizations, the implemented controls are not adequate for a comfortable level of protection. While complete protection and 100% prevention of a breach is not possible, a multi-layer approach to cybersecurity will position most organizations to successfully combat the tactics of cybercriminals. For most organizations, this multi-layer approach is a cost effective alternative to the damage caused by a successful cyberattack.
How should our organization approach cybersecurity?
What are the recommended layers of protection?
The TRA recommended multi-layer approach extends far beyond the common security measures of a firewall and traditional AV. The five most critical measures to have in place are: 1) a documented patching policy with a verification process to ensure all machines are up to date with critical security fixes 2) unique and complex passwords with random characters for critical services that have access to sensitive and valuable information 3) multi-factor authentication for critical services that have access to sensitive and valuable information 4) end user security awareness training and testing and 5) automated data backup/business continuity service that is tested on a regular basis for accuracy. Additional recommended layers include but are not limited to a) Endpoint Detection & Response solution in place of traditional AV b) Internal and External vulnerability scanning c) automated log monitoring service d) dark web monitoring for compromised credentials and e) 24 x7 Managed Detection & Response service.
CyberCare – TRA’s Cybersecurity as a Service Offering
Our team of security experts will assist in the creation and implementation of a cybersecurity plan for your organization. TRA has purpose built our CyberCare Framework to eliminate the burden of researching & vetting required security services, to accelerate the implementation of these required security services, and to alleviate the ongoing management of these required security services. TRA will assist with the implementation and management of all CyberCare Framework services. In the event of a security breach, TRA’s incident response team is available to provide remediation on demand. Contact us to learn more about TRA CyberCare!