How To Develop An Effective
Cyber Security Strategy
Learn how PurpleSec’s experts can help prepare your business’s cyber security strategy.
Learn how PurpleSec’s experts can help prepare your business’s cyber security strategy.
Author: Michael Swanagan, CISSP, CISA, CISM / Last Updated: 5/28/2022
Reviewed By: Rich Selvidge, CISSP, Seth Kimmel, OSCP, & Jason Firch, MBA
View Our: Editorial Process
There are 8 steps to planning out your cyber security strategy including conducting a security risk assessment, setting your security goals, evaluating your technology, selecting a security framework, reviewing security policies, creating a risk management plan, implementing your security strategy, and evaluating your security strategy.
What You’ll Learn
Many businesses have begun to realize the risk cyber attacks pose on their operations, reputation, and revenues.
While pouring investments into security controls like monitoring tools, multifactor authentication, security awareness, and other security best practices have their merits.
A truly secure business has a sound cyber security strategy in place with a well defined pathway to address future security requirements.
In this article, I am going to explain each step of this process in detail.
By the end, you will have all the knowledge you need to develop the foundation of your security strategy whether you’re a small business or enterprise.
A cyber security strategy can be defined as a plan that involves selecting and implementing best practices to protect a business from internal and external threats.
The cyber security strategy also establishes a baseline for a company’s security program which allows it to continuously adapt to emerging threats and risks.
To effectively manage emerging threats and risks today, the cyber security strategy should consider implementing defense in depth.
The goal of implementing this strategy encompasses the layering of security defenses.
When applied correctly, this strategy increases an organization’s ability to minimize and limit the damage caused by a threat actor.
A company may implement a combination of multiple tools to protect their endpoint devices, such as antivirus, anti-spam, VPN, and a host firewall.
Layering multiple tools to create defense in depth is a solid approach towards laying the foundation for a sound security strategy, however, a company must have resources available to support and monitor the functionality of the tools.
This may introduce additional complexity.
To address this issue, a zero trust model should be implemented as well.
Zero trust implies, never trust, always verify.
Multifactor authentication and machine learning are components of zero trust, which provides the company with visibility on who and how the assets are being utilized within the network.
How is a security strategy different between enterprise and small business?
The primary difference between a large organization and a SMB (Small to Medium sized Business) is the number of employees and revenue.
Regardless of the size of the business, both types of companies can be targets of threat actors.
An SMB that handles HIPAA data is required to abide by the same regulations as a large enterprise.
A large enterprise has a larger footprint of data to secure and may require a larger investment in an IT budget to invest in the proper controls to secure the data, however, threat actors and email phishing do not discriminate based on the number of employees.
It is obvious that the larger revenue generating organizations are prime targets for an attack.
The enterprise in most cases has insurance and may have funds available to pay up in a ransomware attack.
Read More: How To Prevent Ransomware: An Expert Guide
It is a general perception that a SMB has limited budgets and resources to fully secure their networks.
This makes them also susceptible to attacks.
Therefore, a cyber security strategy is just as essential to the large enterprise as the SMB.
The business model and assessed risk the organization has in its care determine the security needs of the business.
The challenge SMBs face have to deal with tight budgets, resource planning, staying current with technology, and staying competitive in their markets.
To meet the challenge, careful planning of where expenditures are needed is paramount, particularly when it involves the security of their business.
The good news is that many security vendors have adapted their large enterprise product suite to the SMB market.
Symantec/Broadcom, McAfee Small Business Edition, Microsoft Office 365 Business has subscriptions for less than 300 licenses.
Microsoft recently announced Microsoft Defendor for Business – an enterprise grade endpoint security designed for businesses with up to 300 employees.
At $3.00/mon per user, we predict this offering will attract a lot of attention in the SMB space to integrate into their existing Microsoft technology suite.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
Creating and implementing a cyber security strategy is more critical than ever as the number of security-related breaches during the pandemic increased by 600%.
Further, the average ransomware payment leaped 82% in 2021 to $572,000 from the previous year.
There’s no sign of these attacks slowing down and evidence to support that threat actors will only continue to attack vulnerable systems.
Cyber attacks are growing and becoming more disruptive to businesses overnight, and it’s only going from bad to worse with threat actors finding new methods of attack.
We’ve covered a number of the recent cyber attacks this year including:
Attacks are prominently increasing in all industries, with a recent study establishing that the retail industry is at the most risk to cyber attacks through social engineering methods.
89% of healthcare organizations have also experienced a data breach in the past 2 years, even though security measures had been put in place.
This is due to web applications connected to critical healthcare information being vulnerable to cyber attacks.
The threat is just as high for small businesses in almost every industry.
43% of cyber attacks target small businesses, a problem too big for small business owners to ignore.
Therefore, it is important to address your company’s cyber risk and define a strategy due to more organizations using online applications and cloud based applications.
With this being identified, the rapid increase in cyber attacks is inevitable and the effects can be simply, detrimental to your business.
The SolarWinds and Colonial gas pipeline ransomware attacks reveal how bad actors can uncover weaknesses in software code or poor security controls.
If these threat actors can pinpoint their attacks on systems that monitor the networks of the government and energy sources, hacking into your company unfortunately can be considered business as usual.
According to a 2021 security data breach report, there were 1,767 publicly reported breaches in the first six months of 2021, which exposed a total of 18.8 billion records.
Different regulations and laws will levy fines against organizations if they are found to breach data or fail to comply with regulations, such as HIPAA, PCI, SOX, GBLA, or GDPR.
Due to the current growth of companies processing data, platforms such as storing data on the cloud and machines that supports the data has also increased.
The areas of attack and vulnerabilities to cyber attacks have increased due to more data being processed on premise or the cloud.
Recent worldwide data breach statistics indicate that many organizations are falling short on either the development or implementation of their cyber security strategy.
The COVID-19 pandemic has transformed the methods many people are working and will most likely continue to change how they work in the future.
VPN technology has been around for some time, however, this ability to remotely connect to the company’s network from their home or away from the office is common practice today.
According to a new forecast from International Data Corporation, the U.S. mobile worker population will grow at a steady rate over the next four years, increasing from 78.5 million in 2020 to 93.5 million mobile workers in 2024.
By the end of the forecast period, IDC expects mobile workers will account for nearly 60% of the total U.S. workforce.
The ability to work remotely has allowed many businesses to remain profitable, especially if the role of the employee does not require face-to-face interaction or handling of equipment.
However, remote working does introduce risk, such as, stolen devices containing downloaded sensitive files, or weak passwords or out-of-date software or applications can provide an easy entry for bad actors into the corporate network.
Today, businesses are leveraging the power of the traditional data center along with the cloud.
Many companies today are developing business applications in cloud containers unknown to support staff.
A cloud research firm reported that breaches related to cloud misconfigurations in 2018 and 2019 exposed nearly 33.4 billion records in total.
On-premises server farms within the data center are either underutilized or unmanaged on the network.
In many cases, access to sensitive data is not secured properly, or there are blind spots in determining the data owner to resolve security issues.
These are a few problems when it comes to data protection and the cloud transformation facing many organizations today.
An important element of an effective security strategy is the information security policy.
Security policies are a set of written practices and procedures that all employees must follow to ensure the confidentiality, integrity, and availability of data and resources.
The security policy provides what the expectations are for the business, how they are to be achieved, and describes the consequences for failure with the goal of protecting the organization.
In addition to a single Information Security Policy, many organizations opt to have specific policies instead of one large policy.
Breaking out the policies into smaller policies make it friendlier for the end user to digest.
Below are sample policies that can be written in addition to the main security policy.
These are a general set of security policy templates that set of standardized practices and procedures that outlines rules of network access, the architecture of the network, and security environments, as well as determine how policies are enforced.
Data security policies are formal documents that describe an organization’s data security goals and specific data security controls an organization has decided to put in place.
Data security policies may include different types of security controls depending on the business model and specific threats being mitigated.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
There is no one size fits all approach when creating a cyber security strategy as every business need is unique.
In this section, we walk through 8 steps that your organization can use as a model to develop and implement a successful security strategy.
An IT enterprise security risk assessment is performed for organizations to assess, identify, and modify their overall security posture.
The risk assessment will require collaboration from multiple groups and data owners.
This process is required to obtain organizational management’s commitment to allocate resources and implement the appropriate security solutions.
A comprehensive enterprise security risk assessment also helps determine the value of the various types of data generated and stored across the organization.
Without valuing the various types of data in the organization, it is nearly impossible to prioritize and allocate technology resources where they are needed the most.
To accurately assess risk, management must identify the data sources that are most valuable to the organization, where the storage is located, and their associated vulnerabilities.
A list of areas that are sources for the assessment are listed below:
Leverage your current asset tracking systems (A repository containing all assets, i.e., workstations, laptops, operating systems, servers, corporate owned mobile devices).
A key component of the cyber security strategy is to ensure that it aligns or is in step with the business goals of the company.
Once the business goals are established, the implementation of a proactive cyber security program for the entire organization can commence.
This section identifies various areas that can assist in creating the security goals.
Output from a risk register and impact analysis will help determine how and where cyber security should be prioritized.
The term ‘Low hanging fruit is a business metaphor that refers to tasks that are simple and easily attainable, i.e., a quick win.
If executed in a timely manner, this will provide and exude confidence that you will continue to attain strategic goals as you address the more difficult challenges.
Another key component of the cyber security strategy is the evaluation of technology.
Once the assets have been identified, the next step(s) are to determine if these systems meet security best practices, understand how they function on the network, and who supports the technology within the business.
The items below will assist with the gathering of the information in this key area of the security strategy roadmap.
Identify the current state of asset Operating Systems.
With End-of-Life technology, patches, bug fixes and security upgrades automatically stop.
As a result, your product security is at risk if there are business applications running on these systems and could potentially lead to compromise.
As listed in Step 2 of the plan, the expertise to support the technical platforms is critical.
Resources are required to patch these systems.
In the event of a zero-day attack, resources must be available and responsive to mitigate the threat, as well as recover from an incident.
Technical bloat is a known problem for large enterprise environments that have systems that perform duplicate services.
Poorly written code by developers may lead to ‘technical debt’ – basically, it will cost more, in the end, to rework and document the code properly compared to the initial release.
Unapproved installation of software can cause issues as well.
These systems are usually created by independent teams without the involvement of the support staff. This practice is referred to as Shadow IT.
Documentation is essential to identifying security weaknesses in technology.
Best practices should be implemented with security engaged during the lifecycle of application development to production release.
There are multiple frameworks available today that can help you create and support the cyber security strategy; however, you can’t secure what you can’t see.
The results of the cyber security risk assessment, vulnerability assessment, and penetration test can help you determine which framework to select.
The security framework will provide guidance on the controls needed to continuously monitor and measure the security posture of your organization.
The items below can assist in the selection of a security framework.
Leverage the output from the results gathered in Step 2 related to the maturity model.
Depending on the vertical or sector of your organization, certain regulations exist that must be adhered to or be subject to stiff penalties, i.e., HIPAA, SOX, PCI, or GDPR.
There are frameworks that address a specific regulatory requirement of your organization.
Choose a framework that is feasible and aligns with your company’s strategic business goals.
Once an understanding of the requirements of the business are known, you can then begin the selection process for a framework:
The goal of security policies is to address security threats and implement cyber security strategies.
An organization may have one overarching security policy, along with specific sub policies to address various technologies in place at the organization.
To ensure security policies are up to date and address emerging threats, a thorough review of the policies is recommended.
Below are steps that can help you review the state of your security policies.
A periodic review of the current policies should be conducted to ensure they align with the business model.
The policies should be enforceable.
Each person in the organization is accountable to how they adhere to the security policies.
The policies should be readily available for employees to view.
The policies should be mapped to security controls that monitors, logs, or prevents an activity that is documented in the policy.
Train Employees In Security Principles
Security awareness campaigns are essential methods that can be used to enforce security policies.
There are multiple options to achieve this goal:
Creating a risk management plan is an essential component of the cyber security strategy.
This plan provides an analysis of potential risks that may impact the organization.
This proactive approach makes it possible for the business to identify and analyze risk that could potentially adversely the business before they occur.
The following policies below are examples of best practice policies that can be incorporated into your risk management plan.
At this stage of the strategy, assessments are near completion along with policy plans.
It is now time to prioritize remediation efforts and assign tasks to teams.
Assign remediation items by priority to internal teams.
If your organization has a Project Management office, enlist this team to manage the project.
If there isn’t a project team available, provide leadership and work with the internal teams and plan the efforts.
Set realistic remediation deadline goals
Setting deadlines that are too aggressive and unrealistic is a recipe for disaster.
Better to set a reasonable time frame and exceed expectations.
This final step in the creation of the cyber security strategy is the start of an ongoing support of the security strategy.
Threat actors will continue to exploit vulnerabilities regardless of the size of the organization.
It is imperative that the security strategy be monitored and tested regularly to ensure the goals of the strategy align with the threat landscape.
The items below are key points to consider maintaining a continuous and comprehensive oversight.
Stakeholders are critical to the success of the security strategy.
This group provides resources and ongoing support for the project and is accountable for enabling success.
The goals of the security strategy typically do not change very often, since they should align closely with the goals of the business, however, the threat landscape changes quite often.
It is imperative that the strategy be revisited to determine if any gaps exist in the program. An annual review is a general accepted review period.
When stakeholders understand that you are making strategic decisions about the security of the business, they will accept and appreciate your actions.
The information you receive from internal and external stakeholders will help justify security budgets, processes, and overall business strategies.
The success of the cyber security strategy relies on careful planning with buy in from executive management.
Without leadership support, the strategy will falter and will ultimately fail.
Leadership from the senior team is the most significant factor in the success of the cyber security strategy.
There are pitfalls or roadblocks that may still be in the path that need to be recognized, avoided, or mitigated.
Over time, new servers and applications are provisioned to accommodate a business requirement or development testing.
If there is a lack of change management and decommissioning processes, these systems may spread out and remain on the network indefinitely.
These systems may remain unpatched or can become sources of backdoors.
Legacy system that cannot be patched or no longer supported is a high risk.
Lack of continuous monitoring of the cyber security plan or weak application security management is a byproduct of this pitfall.
When it comes to cyber security, time and the utilization of resources is what companies struggle with the most.
Many SMBs are lean on staff and one person wears all the hats.
It may be work, but failure to patched equipment leaves vulnerabilities in the network that may remain unmitigated for months or years.
Partnering with a Managed Security Provider can address this pitfall.