As a Director on the Subnet board, I find that my business partner and I debate and discuss many things including our staff, our customers and the things that impact us driven by the world around us.
Sometimes the decisions we make are based on clear paths, legislative changes imposed on us by the government, changes to the industry imposed by shifts in the market or even changes in the competitive landscape. Unfortunately, in many cases, the choices aren't clear, and it takes a robust discussion and working with third parties to highlight the right path.
I find that cybersecurity is falling more into the unclear direction bucket, partially because of the breadth of the issue and partly due to the ever-changing risks associated with it.
In talking to our customers, we often find they are in the same boat; some see the problem as an insurance piece where they can pay a fixed amount per month to pass on the risk. Unfortunately, this has proven not to be a great approach - as some insurers are classing cyber-threats as 'acts of war' which negates any compensation.
Most boards that I have discussed CyberSecurity concerns with have an understanding that something needs to happen, but many have limited depth of knowledge on the issue, thus how to combat the breadth of the issues becomes the problem.
In Subnet's case, we chose to take the following approach to cybersecurity:
1. Upgraded our perimeter - while we understand that a firewall box doesn't fix security, it was the low hanging fruit to kick off the journey. In our case, we landed on a Fortinet appliance that scans and detects threats coming into our network.
2. Create and Implement a Security Policy - this is not an 'Acceptable Computer Use' policy that we commonly see still in place at customers sites. Instead, it is an in-depth security policy that defines:
- what happens if a device is breached or an end-user leaks information,
- what settings are in place on our infrastructure to protect us,
- what data/hardware/software is allowed within our environment,
- how we manage our data
- how we ongoing training our end users
- how we interact with third parties, and how they could impact us
Once completed, we had it reviewed and critiqued by a third-party to ensure we hadn't missed a threat vector or any gaps in our thoughts, and finally,
3. Create a Security Working Group - as we understand that security is a journey and not a destination. We have a working group that meets fortnightly to discuss issues and implement changes as we see them surface in the landscape.
If you want to talk more about how Subnet implemented our policies over a coffee, or how the Subnets Consulting team can help implement yours or speak to your board about the real risks, please reach out.