October is Cyber Security Awareness Month. In support of this initiative Kalleo will be dedicating resources throughout the month to educate individuals about how to protect themselves from the ever growing number of online threats. This first article addresses what business leaders need to know to minimize the risk of a cyber security incident in their organization.
Effective Cyber Security Begins at the Top
Addressing your company’s IT Security needs is no small matter. It’s easy for IT security to fall off a management teams’ priority list. Investments into IT security do not make your business money or make your staff more productive, yet failure to properly mitigate and manage your cyber risks can be the thing that puts you out of business.
The frequency and severity of cyber security events are on the rise. You cannot afford to be disengaged with your company’s IT security. While you may outsource your IT support to an outside agency or delegate it to an individual you employ internally, you must remain involved. Regardless of how talented your IT professionals are, you know your business better than anyone. You know what critical information your company has in its possession and how it’s used. You know who in your organization needs access to that data and why. Information like this is core to your cyber security plan. The consequence of a cyber breach can include financial loss, loss of proprietary data, and damage to your company’s reputation. Can you really afford not to be involved in the management of those risks?
Assess Your Risk
The first step in any security plan is to identify where you are vulnerable. Cyber thieves seek sensitive personal and financial data that can be exploited for monetary gain. Give careful thought to what information you have and why you have it.
Consider your HR records. What information do you collect during your hiring process? Are you asking applicants for their social security numbers when they apply for open positions? Do you need that information? Where is the information stored and for how long? Now think about your customers. What do you collect about them? Is there information you ask them to provide that you may not need? Do you process customer credit cards? What happens to their credit card information once the sale is complete?
Only collect the information you need. Remember, thieves cannot steal what you do not have.
Protect Your Assets
Once you have identified what information you have that makes you vulnerable, consider where it is stored and the level of security around it. Make sure that you have secured the information adequately and provided access to only those individuals who need it to perform their job duties.
Implement a Cyber Security Plan
Implementing a cyber security plan for your business is an absolute must. The process can be overwhelming especially if topics like “network security,” “privacy and data security,” or “incident response and reporting” is not a regular part of your job. Fortunately there is a resource available at no charge that makes it easy to get started.
The Federal Communications Commission has created the Small Biz Cyber Planner, an online tool available to help you create a custom cyber security plan for your company. Simply choose from a menu of expertly designed categories that address your specific business needs and concerns. Access it at www.fcc.gov/cyberplanner. While this is an excellent and comprehensive resource, I encourage you to use it in collaboration with IT support professionals who can help you customize the plan to meet your unique needs.
Educate Your Employees
NCSA researchers report 77% of small businesses do not have a formal written internet security policy for employees, and 63% do not have policies regarding the use of social media. A business’ staff is the single weakest link in the security of its computer system. It does not matter how large or small your business is, how intelligent your staff members are or how sophisticated your network architecture is, your biggest risk lies with your employees.
Ensure you have policies that instruct employees on how your computers and network resources are to be used. Define what you deem to be sensitive information and set guidelines on how that information is to be protected. Don’t just write and publish your policies. Train your employees as to what each policy means and why you have them in place.
If you observe an action that violates one of your policies, take action immediately. This is a make or break area. Do not be guilty of making policy for the sake of making policy. Commit to enforce what you have documented and demonstrate that commitment. If you do not take security seriously, neither will your employees.
Technology becomes more sophisticated every day, as do the criminals who seek to take advantage of it. The threat to your company will intensify as your dependency on technology increases. Follow these steps to put your business on the path towards reducing your risk of a cyber incident.
As a NCSA partner we will be providing cyber security tips throughout the month of October on Kalleo’s social networking sites. Access them on Facebook at www.facebook.com/kalleotechnologies or on Twitter at www.twitter.com/kalleotech.