ADVISER: Cybersecurity tips for every business
Every business is, almost by definition, unique. Each faces its own specific risks, including information security risks.
Nevertheless, we have found 13 common principles at the heart of any enterprise’s information security profile. The order is not necessarily important, but a comprehensive approach is.
Data mapping: A business cannot protect information that it does not know it has. Before undertaking any information security upgrade, the business should confirm its understanding of what types of information it actually gathers, uses and stores; how that information really is used in the company’s operations; where it is stored; and who interacts with it. For example, a well-secured document management system is a good thing, but if users regularly email documents and save them as attachments, or if they copy them to desktops and mobile storage media, the document management system itself no longer provides security. A realistic assessment of actual information practices is the only way to ensure that security measures meet the real world.
Network security: Formal network security requires having the proper technology in place to secure the internal network from unwanted intrusions. Examples are multi-layered firewalls, intrusion detection systems and intrusion prevention systems.
Physical security: It is equally critical to properly safeguard facilities. Secure facility entry, surveillance equipment, security personnel, shredding procedures and clean desk policies are critical components of sound physical security.
Computer and mobile device security: Individual desktops, laptops and mobile devices require security measures including virus protection, encryption and individual firewalls.
Network authentication: Business systems must be protected from unwanted users. Strong passwords and two-factor authentication technology are some of the methods for strengthening this protection.
Security policies: Institutionalizing good information practices in an understandable and enforced program is essential. Appropriate policies include statements regarding the proper use of company technologies, best practices for securing computers and mobile devices, and expectations for informing management of any security irregularities users may encounter.
Security incident response policies and procedures: No entity can ensure that it will never fall victim to a data breach. It can, however, implement a response plan and empower an incident response team. A good plan identifies a team whose active participation is required, sets out a clear and understandable set of response tasks, provides for operational and legal risk management measures, and includes accountabilities for remediating the issue and informing management, clients and vendors, if necessary. The plan should be tested frequently so those charged with implementing it in a real crisis aren’t reading it for the first time.
Vendor security assessment: Any time a business relies on a third party to house or process its confidential information, the same level of rigor must be applied to ensure the vendor’s security measures are at least equivalent to the organization’s.
Security officer or committee: To emphasize the importance of security issues, it is vital to have an individual or team charged with providing planning oversight to ensure the proper measures are in place and that the company’s systems are regularly reviewed and tested, and who can advocate for appropriate budgetary support.
Security awareness training: One of the biggest risks to a systems environment is user error or negligence. Phishing attacks, ransomware intrusions and other “human factor” strategies require just one careless user to succeed. Security awareness training is critical to educate employees about this particular risk as well as many other basic best practices.
Third-party security assessments: The best way to determine what vulnerabilities exist within a company’s systems is to retain an independent security consultant who can perform vulnerability scanning and penetration testing. These assessments also can include a review of security policies and procedures and socially engineered vulnerability exercises. This type of assessment reveals weaknesses in perimeter protections and provides a new set of eyes on actual security practices.
Cyber risk insurance: A company should at least evaluate available cyber risk insurance as part of its security risk management protocol. It may be necessary to have a cyber risk policy in place to help remediate the cost of any damage resulting from a security incident.
Executive sponsorship and support: As with any corporate initiative, a security improvement plan will only succeed when management at all levels acknowledges that the initiative truly is a company priority. Grassroots buy-in is critical, or the program will be filed away and not actively implemented in day-to-day operations. Clear communication from the highest executive levels and real accountability are irreplaceable components of success.
Thomas F. Zych chairs Thompson Hine's emerging technologies practice and heads its privacy and cybersecurity team.