Smart innovation necessitates that information security is an integral part of the system architecture at the beginning of the system or product lifecycle. It is clear from the thousands of data breaches that now, as companies and governments modernize and expand their information systems, they will be required to develop, implement, and maintain an appropriate cybersecurity program, assess the threats to their systems, and protect the confidential, sensitive, and proprietary data that they collect, use, store, and share. While executives in affected companies and government agencies have been quick to declare that the attacks were so sophisticated they could not comprehend or defend against them, the reality is that most of the massive data breaches involved exploitations of known vulnerabilities and violations of well-accepted security practices.

Taking the steps necessary to prevent data breaches and incidents involving critical infrastructure should be everyone’s primary goal. Encryption is only one aspect of a comprehensive security solution required to strengthen the organization’s security posture. Prioritizing security controls is the key to reducing risk and the likelihood of a breach. Threats and risks exist with both physical and virtual assets, and since the two are becoming increasingly interconnected, all aspects of the cybersecurity threat must be addressed.

Security controls are the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Security controls that must be implemented include access control; awareness and training; audit and accountability; security assessment and authorization; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; planning; personnel security; risk assessment; system and services acquisition; systems and communications protection; system and information integrity; program management; and privacy controls.

Security is only as strong as its weakest link. Failed security has resulted in thousands of data breaches that have led to the loss or compromise of millions of personally identifiable records, as well as the theft of classified information, valuable intellectual property, proprietary information and trade secrets, and the compromise of critical infrastructure. In many cases, data breaches or other types of cyber incidents could have been prevented or detected early and the risks of the incident mitigated if the organization had undertaken proper security planning and implemented appropriate security safeguards.

In light of the massive data breaches and well-documented ICS vulnerabilities, consensus is developing around the need for all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program. ICS security plans and programs should be consistent and integrated with existing IT security experience, programs, and practices, but must be tailored to the specific requirements and characteristics of ICS technologies and environments.

A cybersecurity program is comprised of a series of activities. These activities include, for example: governance by boards of directors and/or senior management; development of security strategies, plans, policies and procedures; creation of inventories of digital assets; selection of security controls; determination of technical configuration settings; performance of annual audits; and delivery of training.

Privacy compliance requirements should be incorporated into the cybersecurity program. In addition, an effective cybersecurity program requires trained personnel to evaluate the security impact of actual and proposed changes to the system, assess security controls, correlate and analyze security-related information, and provide actionable communication of the security status across all levels of the organization.

Administrative, technical, organizational, and physical controls help ensure the confidentiality, availability, and integrity of digital assets. Such controls should be carefully determined, implemented, and enforced. NIST has published extensive guidance on the selection of controls for government systems, which can also be useful for private sector organizations.

Cybersecurity is based on a systematic assessment of risks that are present in a particular operating environment. Risk assessments are undertaken to identify gaps and deficiencies in a cybersecurity program due to operational changes, new compliance requirements, an altered threat environment, or changes in the system architecture and technologies deployed.

Assessing risk requires that organizations identify their threats and vulnerabilities, the harm that such threats and vulnerabilities may cause the organization and the likelihood that adverse events arising from those threats and vulnerabilities may actually occur. Risk assessments are the basis for the selection of appropriate security controls and the development of remediation plans so that risks are reduced to a reasonable and appropriate level. The principal goal of the organization’s risk management process should be to protect the organization and its ability to perform its mission, not just to protect its IT assets.

In 2014 NIST published the Framework for Improving Critical Infrastructure Cybersecurity, a set of industry standards and best practices to help organizations manage cybersecurity risks as part of their risk management processes. Developed through collaboration between government and the private sector, the Framework enables organizations to apply the principles of risk management to improving the security and resilience of critical infrastructure. It also provides a process for organizations to determine the maturity of their cybersecurity program, thus enabling them to strengthen their security posture over time.

To minimize the effects of cyber intrusions, it is necessary to plan a response. Incident response planning defines procedures to be followed when an intrusion occurs. Information systems and electronic records are particularly vulnerable when an incident occurs. When systems and personnel are in transition and the environment is unstable, organizations may be targeted by hackers or malicious insiders.

Incident response is the practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference. Fully developed and tested incident response plans and business continuity/disaster recovery (BC/DR) plans are components of a cybersecurity program. Organizations should be prepared if a cyber attack or data breach occurs or if an event interrupts their operations. Response plans, policies, and procedures should be able to accommodate the full array of threats, not just data breaches. GAO has recommended key management and operational practices that should be included in policies for responding to data breaches involving PII.

Incident response plans involve stakeholders across an organization, including IT, security, legal, finance, operational units, human resources, and procurement. The individuals should be identified and their roles and responsibilities defined in advance. Communication with and coordination among stakeholders is an important aspect of an incident response plan. This includes the identification of who within an organization should be responsible for communicating with employees, customers, and other key groups (e.g., investors). It would also include plans for appropriate external communications, such as with first responders, forensic investigation experts, Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centers (ISACs), regulators, communications providers, and outside counsel.

If litigation is anticipated, adequate documentation and evidentiary procedures for incident response is very important. This advance planning can help to ensure that valuable tracking and tracing data and evidence of what happened within a system are preserved and secured and chain of custody is documented.

A business continuity/disaster recovery plan is the other critical cyber response plan for a cybersecurity program. Although commonly considered together as BC/DR, there are separate processes for business continuity and disaster recovery. A cybersecurity incident that is initially handled under an incident response plan may cause a business interruption that requires implementation of business continuity procedures. Thus, each plan should be drafted and tested for such circumstances to ensure a smooth and efficient response and continuity of operations.

Hackers and foreign governments have demonstrated the will, the knowledge, the capacity, and the resources to successfully penetrate information systems and steal the most sensitive information held by private sector and government organizations. The threat is imminent and immediate action is required to assess the risks and implement appropriate security controls.