There’s a component of having and implementing a cybersecurity plan that is rarely discussed – metrics and measurement. The reason cybersecurity measurement isn’t often talked about is that it can be tricky to track. And, it can also take a good amount of legwork to monitor effectively. However, the benefits of accurately and consistently measuring your cybersecurity posture can provide a wealth of knowledge to your team and help show you where potential vulnerabilities are.
Not sure what to track? Not to worry, we have you covered with this list of recommended monthly metrics.
Employee training is one of the most important steps an organization can take when it comes to cybersecurity. Who was trained, when they were trained and what practices take place should be tracked rigorously. This insight can tell you when another round of training is necessary. And, when this information is bumped up against the type of cybersecurity incidents that have occurred, it can tell you what should come next for training topics.
As with tracking cybersecurity metrics, training crosses all roles within an organization and should be part of the company culture. Cybersecurity training can help employees keep company data stay safe but also help employees keep their own home networks and personal data (and personal lives) safe as well.
Third-Party Access and Policies
Many businesses have third party suppliers that have access to certain components of their organization. It is important to know which third-party suppliers have access, what they have access to, when they were granted access and what their internal cybersecurity policies are. This information will allow you to quickly shut down their access when a project is completed, or if a relationship ends. In addition, by knowing their cybersecurity policies, you’ll either have peace of mind in their services or have the knowledge necessary to limit their access to your organization (or find a new supplier).
Track what your employees have access to, and their level of access. Please don’t skip this. Businesses need to know these details and have accurate records. If an employee leaves, or is terminated, knowing what they had access to will leave nothing to chance when shutting down their access.
In addition to tracking what employees have access to, it is critical to track who has superuser access. Identify and document who has superuser access and why they have access. This type of access should only be granted if it is necessary for their role within the company. If it is not necessary or becomes non-essential to their role, the user should be blocked. This includes administrative access as well.
Days To Deactivate An Employee
Let’s face it, employees leave companies, sometimes through their own choice, and sometimes not. In both situations, it is imperative to swiftly deactivate their credentials across all accounts and portals that the company gave them access to. In truth, this should happen immediately after termination, or on their last day with the company. But, the only way to know how long it takes to deactivate the employee is to track the number of days it takes. In an ideal world, you are tracking employee user access, which will make it easier to shut down access when necessary. Tracking this info helps your internal team know if your Human Resources and IT teams are working together in these scenarios.
Conducting regular network scanning of all assets within your organization’s environment should be a common practice. Regular scanning can help detect vulnerabilities. In addition to tracking the vulnerabilities, be sure to track where the vulnerabilities were found. Tracking both of these details provides you with the knowledge of where to spend time, and potentially budget, to plug the vulnerabilities, and improve the cybersecurity of your company. Although managing patches and updates can be an in-depth process, it is critical to protect the security of your business. Tracking these details every month can highlight where progress has been made, which can be shared with leadership and employees.
Device Inventory/Asset Management
Depending on company size, this can be a bit tedious to track, but it can also be extremely important. Tracking device inventory includes knowing what machines the business has, who the machine is assigned to, where the machine is located (physical location and whether it can be taken off-site), what software is installed on the machine and what browser(s) and browser version the machine is running. It sounds like a lot, but it enables you to implement patches faster and regain access to your machines if an employee leaves or is terminated or brick the machine if need be.
If you are tracking your device inventory, installing patches should be a tad faster to do. That said, tracking the number of patches implemented, as well as the length of time between security patch release and implementation will demonstrate how quickly the IT team is closing the gap on potential vulnerabilities. And patching shouldn’t be limited to devices; patching should be managed, and tracked, for your third-party software and tools as well.
We know some of these metrics may seem tedious. But we also know that having the knowledge that comes with tracking these metrics enables your business to have a better picture of your overall cybersecurity health. It also provides insight into where time should be spent to close up any cybersecurity gaps. And, if you need a third reason, these details offer insights that can be shared internally, with employees or with senior management to demonstrate cybersecurity program effectiveness (or to obtain budget for increased support).
If you begin tracking these metrics and find out you need outsourced technology consulting, consider talking to us. We’re here to chat with you, learn more about your needs, and collaborate with you to help your business have a strong cybersecurity program.