The following is a cybersecurity program proposal for a mid-sized retail company that has retail stores in two states in the United States. It recognizes the fact that there is an increased risk of cyberattacks for such companies in the retail industry that have limited capacity for safeguard and are therefore easy targets for hackers, criminals, and other unscrupulous people.
Cybersecurity risk assessment
The company uses public networks to share information, and these networks are inherently open to promote faster and easier sharing. Their design is not for information protection. Thus, there is a high risk of interception of information in the course of transmission. The intercepted information can then be used to break into closed systems within the company’s information system infrastructure. On the other hand, the company cannot forgo digital integration and innovation as part of its progress towards becoming customer friendly and taking advantage of faster coordination with the supply chain partners.
So far, the company has been concentrating on the creation of in-store experiences and establishment of an online shopping experience for its customers. It has also linked with inventory management systems for some of its suppliers. These systems were designed without internal collusion risks in mind. They represent potential areas for theft in the company through manipulation of digital records and report generation procedures for the company’s operations.
Program elements to address risks
The elements that need addressing are the breach response readiness at the firm as it increases efforts for detecting intrusions. The coordination of external intelligence is also important, as it will help boost internal resources of the company dedicated to the fight against cyber threats. The other elements are third-party software provider’s security, website service provider’s security, third party data stores used by the firm and direct attacks monitoring and response.
The program will come with layered security that mitigates the risk of individual cybersecurity threats because it demands the existence of vulnerabilities at the same time. For example, an enterprise anti-spam email filtering system will ensure that fewer email-coordinated attacks reach the employees, while employees also have antiviruses and anti-spam controls filtering malware and other malicious programs on their workstations and mobile devices.
Another element of the program to address risks will be information encryption on interdepartmental coordination networks. The program includes the upgrading of all passwords used by staffs from one-step authentication to two-step authentication. Besides, passwords on physical access to premises like warehousing and stores when opening or closing will also include biometric identification to prevent remote access.
The program is also going to have a consistent backup of information in a mirrored infrastructure. The backup information will match the live data and run on a parallel system that can be switched to become the main system in case of an attack from both internal and external sources. Lastly, the program will include insurance cover for cybersecurity risk events that would be catastrophic to the business (Shackelford, Should your Firm 349).
The first method will be to check for compliance with basic cybersecurity requirements. This includes the installation and configurations of firewalls and antivirus software on every computer terminal and server used in the business. These are practical aspects of a good security, and they will tell whether the organization is safeguarding its resources against opportunistic attacks from malicious software from the internet. Cyber risk will be considered a living scale that is influenced by internal and external factors. The business drivers will be mapped against the technology used to determine the impact levels of every attack or breach. After mapping, the relevant threats will then be set according to the probabilities of their incidents occurring and the severity of asset damage related to the threats (Mukhopadhyay, Chatterjee, and Saha 11).
When the direct and indirect losses to the business are qualified, then it will be possible to quantify the impact. Direct losses include loss of working hours that are billable hourly. There is also the loss of functionality of a point of sale or direct customer interaction and service point in the organization. These can be easily determined regarding their overall contribution to daily operations. The changes in a number of activities done by the hour or at the end of a day can help to determine the impact of a given threat. Besides, there are systematic breaches that affect core functionality of the business or introduce risks of data and privacy breach.
The cost of correcting these risks can be taken as a direct representation of the cyber-attack risk. On the other hand, the influence of the network breach or information leak can be mapped and associated with other certain or potential losses at the firm. These will then be quantified based on the individual impact of employee performance, customer management, supply chain management and even overall management function. They can then be quantified based on time, resource and monetary estimates (Shackelford, Managing Cyber Attacks in International Law 48-51).
This proposed method ensures that there are adequate identification and agreement of risk. It lets the organization ensure that it does not cross the line where the occurrence of risk results to the inability of the business to continue because of a large-scale commercial impact. The methods of mapping and supporting mapped risks with qualitative and quantitative impact description will rely on identification and use of key performance indicators (KPIs) that let the businesses work progressively in handling the cybersecurity risks.
At all times, there will be a report on what the business can measure and achieve as a cybersecurity goal. The indicators include the achievement of acceptable cyber hygiene levels and achievement of regulatory requirements for cyber security. Besides, there are policies, procedures, people and products that are set up to deliver the expected level of protection for the cyber threat (Greene 32). These features all from KPIs and will be reviewed periodically to access whether they are working as envisaged and their contribution to the reduction or elimination of the threat. Another KPI will be the timescale used to identify incidents that are agreed upon as dangerous and worthy of critical and timely attention based on the qualitative and quantitative risks they pose.
The company needs its information and records to be management consistent with its strategy for protecting confidentiality, integrity and availability of information. Static data needs protection against unauthorized access and transfer. Its integrity needs to be sustained throughout the storage time of the data. Therefore, the information system at the company must allow for both software security features and physical security features to support organization’s hierarchy in data access privileges.
The company needs to bounce back from anomalies and threat or intrusion events in a way that support continuous operation of the business. In this regard, it requires a robust mirrored system for monitoring internal activities with its information resources as well as vulnerabilities to external threats. There is also a need for the definition and allocation of roles and responsibilities for detection as well as ensure that all detection activities and process are compliant with all applications used in the firm.
The organization needs to qualify effectively the impact of all possible incidents that affect it. It also needs to understand an attacker’s motive when responding to attacks. It will also need to refine the time taken to respond and address effective management concerns for the impact in commercial terms. For faster response, each incident and risk will have to be qualified regarding its commercial impact and its continuous or static nature.
Staffs will need training about encryption and access protocols for different levels of clearance in the networked electronic information system for the company. A layered structure will allow the organization to deliver training in stages according to the scale of use for each layer of security.
Incident response plan
The personnel or system that detects the incident will relay the information to the IT security office, whose systems then automatically relay the information to other affected departments, personnel, and agencies. This second relay of information will include steps to follow to mitigate vulnerabilities and reduce the overall effect of the risk event. The program has personnel in charge of the networked system at the company, and it has configured auto response systems that include firewalls and user access management units. If the discovery of the incident is within the IT department, then the next step is to start the evaluation of the event to determine losses.
The responsible staff members in the IT department will map the incident as fast as possible and send alerts to all other attached systems that rely on the given information resource affected. If it is a breach on a specific workstation or device, then denial of access will be the first response and every successive attempt to get system access will result to additional alerts about the problem. Devices include specific inlet and outlet options for employees in the organization such as biometric controlled doors.
In the case of physical access threats, relevant management, staffs and security officials are alerted automatically via connected systems and devices. They also receive physical alerts such as being called through alternative phone lines to be informed of the incident.
All contacted members of the response team deliberate on a response strategy according to their security clearance level and identified threats to the system. They ask the following questions when reacting to the incident:
Is it real? Is it in progress? How critical is it? What impact is required for success? Is the impact minimal, serious or critical? What are the targeted systems and are they physically located or existing in the electronic network? Can the incident be contained? What type of the incident is it? Does it require an urgent response? These questions help to develop an incident ticket that categorizes the incident concerning severity and urgency of response needed.
Other response team members and affected individuals in the organization react according to their training and the classification of the incident. Reactions include shutting down systems, alerting others, stopping particular activities or launching activities on their systems and devices. After that, the response team proceeds with specific pre-determined procedures for dealing with different types of incident outcomes such as website denial of service, database file denial of service, spyware, inactive intrusion or system failure.
The next step is to initiate forensic techniques to determine the cause and personnel in charge or persons compromised. The techniques include reviewing intrusion detection logs and interviewing affected staff members. The response team then highlights lessons from the response activity. It makes recommendations on ways of preventing future incidents (Stamp 97). The team then restores the affected systems and ensures that they are operating in an unaffected state. The team will use tests to make sure the system if patched fully and its protection against cyber threats are running.
The last step is to document the processes taken from the discovery of the incident to the resolve and recommendations by the response team. The documentation is preserved for legal, insurance or policy formulation and correction purposes for the company. The documentation and current policies will be reviewed periodically to determine whether future incidents take advantage of unattended vulnerabilities or new ones. The information will also form the basis of coming up with new security policies or acquiring additional security infrastructure and personnel to handle emergent cyber security risks (Merkow and Breithaupt 104-106).
The company will establish clear communication practices with customers to ensure that they only release sensitive identification information to authorized and well-secured company systems. The intention is to ensure that customers and employees not to succumb to a phishing scam that appears like a legitimate message. When an incident arises, the communication channels used officially for the company will be closely monitored for anomalies while they are in use.
Meanwhile, the response team for cybersecurity incidents will be using parallel communication systems to avoid transferring vulnerabilities when the company IT system is under an intrusive attack. The program will have systems automatically communicate with their dependent parts within the organization to provide a real-time update of security alongside other functionalities. When a system goes down, for any reason, other systems reliant on it will be altered and set up for intrusion detection.
Employees will also follow protocol when reviewing and communicating information that can lead to the discovery of cybersecurity incidents. For example, they must use the appropriate code when highlighting an issue through online and telephone channels. The progress of response teams and monitoring teams for any vulnerability will also be real time to the affected persons. Besides, all information will be available on the systems used collectively for operations and management.
However, access to information will depend on individual clearance level. Coding of information ensures that the right respondents receive it without intermediate manipulation. The documentation of incidents is also part of the communication plan ensuring that affected organization members can easily update themselves with the breach and initiate appropriate responses according to the company security policy and their professional and workstation capabilities. Lastly, personnel in charge of security will be available on call and will maintain full-time contact with relevant service providers outside the organization.
Greene, Sari Stern. Security Program Policies: Principles and Practices Indianapolis: Pearson, 2014. Print.
Merkow, Mark, and Jim Breithaupt. Information Security Practices 2nd ed. New York: Pearson Education, 2014. Print.
Mukhopadhyay, Arunabha, Samir Chatterjeeb, Debashis Sahac, Ambuj Mahantic, and Samir K. Sadhukhanc. “Cyber-Risk Decision Models: To Insure IT or Not?” Decision Support Systems 56 (2013): 11-26. Print.
Shackelford, Scott J. “Should Your Firm in Cyber Risk Insurance?” Business Horizons 55.4 (2012): 349-356. Print.
Shackelford, Scott J. Managing Cyber Attacks in International Law, Business, and Relations New York: Cambridge University Press, 2014. Print.
Stamp, Mark. Information Security: Principles and Practice Hoboken, NJ: Wiley-Interscience, 2006. Print.