Preventive controls you can enact in 90 days

Michael J. Del Giudice
Preventive controls you can enact in 90 days

The key is to be prepared, not scared.

The key is to be prepared, not scared - It doesn't matter where you are in your cybersecurity journey. You can begin to take steps today to prevent security events.

It’s no secret that critical resources are seriously limited in the public sector. But in a world where remote work is the new norm, preventive controls can’t be lacking.

Many employees now work outside the four walls of traditional offices, and this new norm has brought with it a host of new threats. If organizations don’t respond to threats quickly, operations can be negatively affected.

Focusing on all aspects of security – guarding against data breaches, ransomed assets, and massive financial loss – can be overwhelming.

Here are some actionable steps public sector agencies can take over the course of 90 days to implement effective preventive measures.

Stay on top of public sector and cybersecurity and other insights by subscribing to Cybersecurity Watch.

Day 0-30: Fact finding and documentation

Before considering what their cybersecurity goals will be at the end of 90 days, public sector agencies first need to assess their current capabilities. The following questions are a good place to start:

  • Do we have a cybersecurity plan in place? If so, what areas need improvement?
  • What are the strengths, weaknesses, and vulnerabilities within our organization?
  • What tools, technologies, and licenses have we purchased, and how are they contributing to our current plan?
  • Who are our trusted advisers within the industry, and how can they help us meet our goals?
  • Are we lacking financial or human resources?

These questions might seem basic, but when organizations know where they stand today, they can strengthen their security for tomorrow. Documenting current capabilities and securing top-down buy-in can help supplement areas that lack financial and human resources.

Public sector agencies should make sure they are exchanging best practices and collaborating with others in their industry and community. One approach is to schedule a meeting with peers operating in other county or state public sector agencies. Peers can be quite receptive, and they can help benchmark capabilities as compared with other public sector agencies and share ideas to help existing capabilities mature.

When public sector agencies can clearly articulate where they are within the first 30 days and where they want to be after 90 days, they can establish clear goals around which to structure their cybersecurity plans.

Day 30-60: Multifactor authentication

A great next step that can be implemented relatively quickly and that provides some of the best results against attacks is multifactor authentication (MFA). Requiring that users confirm their identities before accessing systems can serve as a solid, all-around preventive control. Users must present at least two forms of authentication from the following three categories before accessing a website or application:

  • Knowledge. Something they know, like a password
  • Possession. Something they have, like a smartphone
  • Inherence. Something biometric, like voice recognition

Simply put, MFA is a way to confirm that end users are who they say they are, and it helps organizations minimize the likelihood of security compromises. Ideally, this practice should be in place for all users, but it is especially important for those who are at higher risk – specifically administrators and remote workers.

Day 60-90: Endpoint management

In addition to antivirus software, public sector agencies should make sure they have an endpoint protection program in place. Endpoint management can help secure company desktops, laptops, and mobile devices against potential threats. It can also improve the security of the entire network. Endpoint management programs analyze system actions and can proactively prevent potentially malicious activity from occurring.

In addition, these programs can help increase visibility within an organization – alerting on suspicious activity and shrinking the window of time it takes to know something bad might be happening.

Network segmentation and continued goal setting

Organizations can implement preventive controls over the course of 90 days, and they can also set future goals. Even with a strong foundation, security objectives should continue to move forward.

One goal to consider is network segmentation. Although a thorough segmentation initiative takes longer than 90 days, public sector agencies should start laying the foundation for a successful segmentation strategy as soon as possible.

Networks and firewalls are often designed to be tough on the outside, but less attention is paid to strengthening them on the inside. If attackers do make it past the hard exterior, they’ll often find a flat, unsecured network, which makes it easier to carry out an attack.

When networks are segmented, organizations can limit communication between different systems and applications. Segmentation makes it more challenging for attackers to pivot from one system to another and for malware to make its way across an organization.

By segmenting, organizations can improve security, monitoring, performance, and containment and create a network infrastructure that can mitigate the risk of security events.

Cybersecurity is an ongoing process. Organizations that set big goals can reap the rewards of a proactive approach to security.

It doesn’t matter where you are in your cybersecurity journey. You can take steps today to help prevent security events.

A more secure organization begins with individuals who care enough to put solid preventive controls in place. Proactive planning can yield the kind of freedom organizations need to focus on larger security initiatives.

At Crowe, we know that cybersecurity is not a one-size-fits-all solution. But it’s crucial to tailor a plan that meets your organization’s unique security needs.

Start by putting the steps above into action and see where you could be in 90 days – or even years after. If you need extra guidance, the team at Crowe is available to help lead you in the right direction.

Get cybersecurity and other insights delivered directly to your inbox.

Related insights

Curious what to do next?

To start discussing your security goals, reach out to an experienced Crowe consultant today.
Michael Del Guidice
Michael J. Del Giudice
Principal, Consulting