7.Assess risks in network and software design.
Translation: Figure out how and where your corporate internet, files, and applications are fragile, vulnerable, or threatened before the criminals do. You care about who has access, how that access is validated, and what access allows each user to do.
8.Assess risks in information processing, transmission, and storage.
Translation: Consider where things could go wrong as you work with, share, and save data. Do you regularly email protected data? Encrypt those emails. Save your active work files into restricted folders instead of to your desktop. Ensure you save backups in a secure format and location.
9.Detect, prevent, and respond to attacks or system failures.
Translation: Install defensive architecture (like firewalls, anti-virus/anti-malware, and email spam filters), review logs and alerts, and take immediate action on issues. If possible, install a real-time security information and event management system (“SIEM” software is proactive!). If the budget doesn’t allow for SIEM, upgrade your firewall to include intrusion detection to give you as much information about attacks and failures as possible.
10.Regularly test the effectiveness of critical controls.
Translation: Stage a mock disaster or breach event and see if your team can follow cybersecurity procedures in a timely and complete way. Table tests are like fire drills; they help you determine if you’ve documented all the essential steps so that everyone knows what to do in a crisis. Don’t forget to review access controls each quarter to make sure that only those who should have access do have access.