Until the last couple of years, data breaches seemed to be the domain of major corporations—Target, Home Depot, Sony, JP Morgan. However, in recent years, as businesses of every size become increasingly reliant on data and information systems, it is becoming clear that no business is too small to be a target. And yet, only 45% of middle market companies have an up-to-date cybersecurity plan. Just like the big players, small and mid-sized companies should also take steps to ensure that their data is secure, starting from the T.O.P. down.
To shore up weaknesses in technology, management can start with the simple fixes. They can ensure that the network has appropriate antivirus and firewall software, that entry into the network is password-protected, that critical data is backed up regularly, and that the systems are patched when needed. Management should also insist on two-factor authentication, as well as regular reviews of files and network permissions.
Technology can not only help prevent attacks, but it can also help detect them as well. Data breach detection systems monitor and log the activity surrounding potential areas of entry. Collecting this information is important, but management should not stop there; these logs should be aggregated and combed through for unusual activity. Often, cyber breaches occur over long periods of time, so discovering activity as it occurs can shed light on the breach before the perpetrator causes too much damage.
An organization’s security policies should be both forward-thinking and adaptive, and they should cover all relevant aspects of data safety, including the following:
• internal controls
• password management
• social media
• e-mail usage
• mobile device guidelines
• incident reporting procedures
• internet usage
• remote access
• third-party access
• legal requirements
Regular security assessments (every two years at a minimum) can help the company determine how well its security policies are operating. A professional security assessor also can highlight opportunities to adjust policies and procedures as threats evolve.
To supplement the security assessment, the team should gather up-to-date intelligence on cyber threats from reputable sources so the company can stay ahead of attackers. New threats can alter the organization’s cybersecurity strategy, but so can new technology. Management should assess how a new type of technology–such as moving to a cloud-based application–can change the company’s approach.
Organizations with a robust cybersecurity team have the best chance to address security threats. This team must include owners who are invested in data security. Dedicated IT team members, whether full-time, part-time, or outsourced, can implement management’s plans. Hiring a chief information security officer (CISO) may not be feasible, but a professional advisor may be able to fill that role on an outsourced basis.
The organization’s employees should also be invested in the company’s data security plans. Staff members are often called the “human firewall” because they are the most effective first responders to cyber threats. In order for the human firewall to be effective, staff must be educated in cyber threats and mitigation policies, understand how to report and respond to suspicious activity, and believe in the company’s cybersecurity goals.
Third parties should also be considered part of the cybersecurity team because of their access to sensitive information. A third-party risk management (TPRM) process may be something for the organization to consider. These processes are formalized mechanisms to guard against attacks that originate in the company’s supply chain. These systems can vet third parties for reliability, integrity, and loyalty; manage the ongoing relationships, and monitor the third parties’ information systems usage.
Ready to begin?
If you start at the T.O.P., you will be well on your way to improving your organization’s information security program. To get started on a cybersecurity risk assessment, or for additional guidance, contact your CRI cybersecurity specialist.