Improving Cybersecurity for Companies in Rhode Island: A Path Forward

NEWPORT, R.I. — The first RI Corporate Cybersecurity Tabletop Exercise, held at the Pell Center on October 9^th, was a major event for cybersecurity in a small state. Many industry leaders attended the exercise demonstrating their commitment to cybersecurity and their desire to build upon existing informal relationships to improve the overall security posture of the RI private sector. Today, the Pell Center released the After Action Report (AAR) compiled by the Center for Infrastructure Assurance and Security (CIAS), which details the findings of the day-long cybersecurity exercise. The report builds upon the exercise by outlining actionable recommendations and highlighting further steps companies may take to better protect their organizations from cyber threats and vulnerabilities.

Timed to coincide with the 10^th anniversary of National Cybersecurity Awareness Month in October, the exercise provided private sector leadership with a real opportunity to raise their awareness and develop an understanding of the most pressing cyber threats to their organizations’ networks and sensitive information.

The participants worked through scenarios involving real-world cybersecurity issues and events, discussed how they believed their organization would handle the situations, and indentified any related best practices. Among the major strengths identified in the exercise were the recognition that leadership plays a key role in establishing and sustaining an organizational culture of cybersecurity, that strengthening existing relationships between organizations is fundamental to developing information sharing arrangements, and that end-user education is a priority. The exercise highlighted also some areas of improvement, including identifying new information sharing partners and avenues for collaboration, expanding current efforts to share physical security information to include cybersecurity information, and using existing abilities, tools, and relationships to develop methods and processes for sharing cybersecurity information.

The report—drafted with extensive consultation between the Pell Center and CIAS—provides a wealth of observations and recommendations for enhancing a company’s cybersecurity, including:

1. Management buy-in. Management and organizational leaders must strive to cultivate a culture of cybersecurity awareness and vigilance within their organizations. The culture of an organization cannot be changed overnight—it requires leadership, understanding, and resolve.
   • Demonstrate the importance of cybersecurity and lead by example;
   • Sustain and enhance an organization’s cyberscurity culture through continuous discussion and engagement (both C-suite and IT must be involved);
   • Integrate cybersecurity into every part of how the business operates; and
   • Participate in the on-going Pell Center RI Corporate Cybersecurity Initiative!
2. Cybersecurity awareness. When implemented correctly, cybersecurity awareness empowers employees to take action to protect their organization.
   • Leaders must be responsible for implementing cybersecurity awareness programs and ensuring that they remain updated and current with trends in personal and enterprise technologies;
   • Dedicate resources for cybersecurity awareness programs and materials;
   • Provide incentives for employees to follow best practices and make reporting safe; and
   • Form a collaborative working groups to gather existing best practices from organizations and develop cybersecurity awareness resources.
3. Policies and procedures. Establishing a clear set of policies and procedures relating to cybersecurity can help arm organizations with guidelines and tools to address cybersecurity issues as they arise.
   • Review existing policies, identify gaps where critical business processes are supported with networks and computer systems, and prioritize critical services and infrastructure;
   •  Establish or enhance existing incident response, business continuity, and disaster recovery plans;
   • Make policies clear, concise, understandable, practical, and able to be reviewed and updated as needed; and
   • Ensure that your policies and procedures extend to third-parties.
4. Information sharing. Sharing information—across people, departments, and organizations—can improve resilience and incident response for the company and the community.
   • Address barriers to information sharing;
   • Share information internally and externally; and
   • Identify partners for information sharing and establish formal information sharing agreements.
5. Training and education. Organizations must take their weakest cybersecurity link—their personnel—and turn them into a cybersecurity “front line” through in-depth and recurring training/education.
   • Allocate appropriate resources to training and make training programs personal, recurrent, engaging, and relevant; and
   • Pool existing resources in Rhode Island and work together.

The recommendations above, if implemented, offer Rhode Island’s corporate community a path forward in the often-overwhelming world of cybersecurity. The best time to start implementing these recommendations is now. Recently-published 2014 cybersecurity predictions anticipate that attackers will increasingly lure executives and target the weakest links within organizations, while insider threats will become even more insidious and complex. The days of setting—and promptly forgetting—a firewall or antivirus program are over. Cybersecurity requires a robust and rapid response, and organizations must prepare themselves today or face cybersecurity headaches in the future. A key component of the path forward is to work together.  Indeed, the central take-away from the exercise was that cybersecurity is a shared responsibility and that addressing it properly requires stronger collaboration among organizations.

To obtain a copy of the AAR report, contact Francesca Spidalieri.