ADVISER: Cybersecurity tips for every business
Computer and mobile device security: Individual desktops, laptops and mobile devices require security measures including virus protection, encryption and individual firewalls.
Network authentication: Business systems must be protected from unwanted users. Strong passwords and two-factor authentication technology are some of the methods for strengthening this protection.
Security policies: Institutionalizing good information practices in an understandable and enforced program is essential. Appropriate policies include statements regarding the proper use of company technologies, best practices for securing computers and mobile devices, and expectations for informing management of any security irregularities users may encounter.
Security incident response policies and procedures: No entity can ensure that it will never fall victim to a data breach. It can, however, implement a response plan and empower an incident response team. A good plan identifies a team whose active participation is required, sets out a clear and understandable set of response tasks, provides for operational and legal risk management measures, and includes accountabilities for remediating the issue and informing management, clients and vendors, if necessary. The plan should be tested frequently so those charged with implementing it in a real crisis aren’t reading it for the first time.
Vendor security assessment: Any time a business relies on a third party to house or process its confidential information, the same level of rigor must be applied to ensure the vendor’s security measures are at least equivalent to the organization’s.
Security officer or committee: To emphasize the importance of security issues, it is vital to have an individual or team charged with providing planning oversight to ensure the proper measures are in place and that the company’s systems are regularly reviewed and tested, and who can advocate for appropriate budgetary support.
Security awareness training: One of the biggest risks to a systems environment is user error or negligence. Phishing attacks, ransomware intrusions and other “human factor” strategies require just one careless user to succeed. Security awareness training is critical to educate employees about this particular risk as well as many other basic best practices.
Third-party security assessments: The best way to determine what vulnerabilities exist within a company’s systems is to retain an independent security consultant who can perform vulnerability scanning and penetration testing. These assessments also can include a review of security policies and procedures and socially engineered vulnerability exercises. This type of assessment reveals weaknesses in perimeter protections and provides a new set of eyes on actual security practices.
Cyber risk insurance: A company should at least evaluate available cyber risk insurance as part of its security risk management protocol. It may be necessary to have a cyber risk policy in place to help remediate the cost of any damage resulting from a security incident.
Executive sponsorship and support: As with any corporate initiative, a security improvement plan will only succeed when management at all levels acknowledges that the initiative truly is a company priority. Grassroots buy-in is critical, or the program will be filed away and not actively implemented in day-to-day operations. Clear communication from the highest executive levels and real accountability are irreplaceable components of success.