Your Cybersecurity Journey: What’s a Business To Do?

The following story was originally published in our Manufacturing Outlook eZine. For a free subscription Click Here

By Ken Fanger, MBA, CMMC-RP, President, On Technology Partners 

So, you may have started looking into cybersecurity, learned why it’s important, and maybe you’ve even thought of ways your company can improve.  Now the question becomes, what is a business to do? 

The first step might surprise you: RELAX.  Don’t act in a panic.  Instead, take a deep breath and start by reviewing where you are.  The NIST Framework is a wonderful starting point.  Remember that small wins help you to reach bigger wins.

When you are relaxed and ready to move forward, consider where you want, or even need, to be.  Are you obligated to meet compliance standards, such as PCI, CMMC, HIPAA, or ITAR?  If there are compliance requirements, then you’ll have a strong framework for what is needed. 

If you do not have a compliance requirement for cyber security, think about what you are concerned about.  

Do you think you could lose your business or lose client information?  Perhaps a potential large financial loss is on your mind.  This step will remind you why increased cybersecurity is worth the effort.  Cybersecurity can seem overcomplicated and unnecessary, and in a perfect world it wouldn’t be necessary, but as we well know, we are not in a perfect world.

Now that you have your reason why, you can build your team to help you implement the next steps.  Your team should consist of key people within your company, stakeholders in the project, and outside consultants to assist you to implement the necessary cybersecurity measures.  Avoid making the team too large; I would suggest between four and eight people.  They need to be motivated and help to keep you on track.  It is easy to put off tackling the cybersecurity process because the everyday fires you put out as a business owner seem so important.  Thus, accountability in keeping the process rolling is necessary.

It’s also important to recognize what you are already doing right.  Most likely, you are not starting completely from scratch.  If you have anti-virus, use multi-factor authentication, have policies concerning cyber safety, are providing cybersecurity training, or do anything in the realm of protecting your company digitally, you already have a leg up.  These wins remind you that each step is not insurmountable, and help provide the momentum and motivation to keep going, to keep building your company’s cybersecurity and resilience even stronger.

Now, we move on to building the actual plan.  This is where a compliance standard or outside cybersecurity consultant will come into play.  Every structure will generally follow the basic NIST Cybersecurity Framework:

Identify – Establish what is important and where it is located.  This includes the people, files, programs, and hardware that need to be protected.  Then, determine why it needs to be protected, which may stem from complications like compliance standards, risks from work-from-home, and so on.

Protect – Determine how to protect the important data you identified.  Do you have backups?  Is there anti-virus?  Anti-spam?  Do you have remote workers that use a VPN?  What are the other security measures that you need?  You’ll also want to build your plans for how to respond during an attack or breach.

Detect – Figure out a method to see if the plan is working.  Do you have a monitoring company that checks logs?  How are you seeing if anyone is getting in?  Knowing that an attack is happening is a vital part of protecting yourself and your business.

Respond – Any response should begin with RELAX.  If there is an attack or a breach, the first step will always be to RELAX.  Then, have processes in place for how to address it. 

Recover – This is where you determine how to get back to work after the attack.  This could be restoring lost data, reviewing what happened and adjusting the current protection plan, additional training for the team, etc.  It is vital to get back to a place of normalcy after an attack.  Attacks are violations and they can make you feel helpless and scared; creating a sense of normalcy will help your team get back to the important work that you are doing.

Cybersecurity does not have to be terrifying, despite what many doomsday cyber professionals would have you believe. What’s the most important thing to remember?  Begin.  Just begin.  Do something every day to increase cybersecurity and keep it from being an overwhelming project to tackle all at once.  Instead, think of it as keeping your company, your team, and yourself safe.

Author profile:

Ken Fanger, MBA has 30 years of industry experience in the fields of technology and cyber security, and is a sought-after CMMC Registered Professional, helping manufacturers and contractors to meet DoD requirements for CMMC compliance. He is passionate about technology deployment, and his MBA in Operations & Logistics has helped him to be an asset in the designing and deployment of networks to enhance the manufacturing experience. Over the past 5 years, he has focused on compliance and security, including working on the SCADA control system for the Cleveland Power Grid. Mr. Fanger works with each client to identify their unique needs, and develops a customized approach to meeting those needs in the most efficient and cost-effective ways, ensuring client success. ν

scroll to top