It happens every day. Businesses of all sizes experience data breaches which can lead to the loss of proprietary or private client data, damage a company’s reputation, or even unleash lawsuits. The consequences can be so damaging, in fact, that an organization may face closure as a result.
In addition to the aforementioned concerns, small to medium-sized businesses face additional challenges that larger businesses often don’t; a lack of IT personnel, funding for strong IT, and knowledge for developing a cybersecurity plan, for example. With that said, there are several major components every business owner and leader should consider when creating a solid cybersecurity plan that will serve to best protect their organization.
The first step in creating a cybersecurity plan for your business is to conduct an IT audit. An IT audit is when your company’s information technology (IT) infrastructure, policies, and operations are examined and evaluated for security purposes and to see if they measure up to best practices. This will help determine where your security is strong and where it needs improvement.
Information technology audits allow businesses of all sizes to determine if the controls (hardware, software, practices, and policies) they have in place protect the company’s assets, ensure the integrity of data, and align with the organization’s overall goals. These audits are typically conducted by IT auditors who examine the physical security of your business in addition to the security of your information systems ranging from financial controls to your company’s overall business policies.
Some IT organizations such as Oram Corporate Advisors offer free technology assessments to get you started. These free technology assessments can assist in strategically evaluating whether your IT infrastructure is ready to grow, identify areas of opportunity for improvement, and can “red flag” areas that require deeper analysis and adjustments. Just remember that all technology assessments are not created equal and you often get what you pay for.
When it comes to IT audits, they can be expensive, but businesses need to have them to secure their organizational data, assure clients that their information is safe, and to protect their reputation. Additionally, many industries are now required by their state and/or federal government to participate in regular audits among other IT regulations. Be sure to check with your state and federal government to determine if your business is affected by such IT regulations. Your IT auditor should be able to answer these questions for you as well and assist your business with regulatory compliance requirements.
The cost of an IT audit can be prohibitive for many small to medium businesses. As a matter of fact, they can run into the thousands depending on how much work has to be completed to conduct the audit. Fees are typically charged on an hourly basis and can range from IT company to IT company. Most IT auditors should be willing to give you a free estimate, however, so you know what your investment will be.
The next step in developing a solid cybersecurity plan for your business is to train your employees. After all, your employees can be your strongest line of defense or your weakest link. Information technology best practices require regular IT training for all employees.
Every employee should know certain IT rules such as not opening emails or attachments from unknown or untrusted sources. Phishing scams are one of the most common ways hackers attempt to infiltrate business networks using email. Other items employees should be trained on include spear-phishing, executive whaling, and malware. Training should also include specific company IT policies and procedures that support better data security. Employees should also be trained in a myriad of other topics such as the proper disposal of confidential data (both digital and hard copy), how to handle requests for information, and how to report a suspected breach.
A blog by Forbes magazine online offers small and medium businesses five tips on how to train employees. While these are general training guidelines for any type of employee education, they can also be applied to IT training. In addition to hosting your own educational meetings, most IT companies offer employee training for best IT practices as well. The cost for such training will depend on which company you hire, how frequently you wish to schedule training, and how many employees you have.
The third component of your business cybersecurity plan should be your written information security plan or WISP. This encompasses many items and includes several steps in and of itself. You will need to sit down with an IT specialist and outline a WISP that is specific to your business and the information it holds. Your WISP will need to include the following at a minimum:
Objective– Outlines your WISP including the creation of effective administrative, technical, and physical safeguards for the protection of personal and proprietary information.
Purpose– Outlines what your WISP will do such as ensuring the security and confidentiality of personal information, protect against any anticipated security threats, and protect against unauthorized access or use of information.
Scope– In formulation and implementing your WISP, outline the scope of the plan including reasonably foreseeable internal and external risks, the potential and likelihood of damage caused by such risks, evaluate the sufficiency of your existing IT policies, and design and implement a WISP that puts safeguards into place to protect data. In addition, regular monitoring of the effectiveness of those safeguards should also be included.
Data Security Coordinator– Designate a data security coordinator in your WISP that will implement, supervise, and maintain your written plan. They will head the initial implementation of your plan, train employees, and regularly test the safeguards outlined in the WISP. The security coordinator will also evaluate the ability of each third-party service provider to supply appropriate security measures for information to which they have access. They will also review the scope of the security measures in the WISP and conduct annual training for all employees including the owners, managers, and independent contractors as well as temporary employees who have access to personal information.
Internal Risks– Identify probable internal risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.
External Risks– Identify probable external risks to security, confidentiality, and/or integrity of electronic, paper, or other records containing personal or proprietary information. Also evaluate how to limit such risks and implement necessary measures for reducing them.
Implement Your Plan
Implementing your business’s cybersecurity plan is the next step. This includes adding data security features you have opted to employ in addition to making employee training a reality, integrating new software such as updated anti-virus and/or firewall programs on your network, and updating patches to existing software.
Other layers of your cybersecurity plan should include:
Social Media Education– Hackers can find personal information online from social media sites such as Facebook, Instagram, and LinkedIn that they can use to manipulate employees of companies, getting them to disclose personal or sensitive information. Train employees about social media best practices as well as the use of different passwords for each site, software, or application they use. Emphasize your company’s security protocols as well as IT best practices such as the use of least privilege.
Let’s Get Physical, Security– While you may think your building is secure enough to protect your sensitive data, good hackers know how to penetrate this type of security. Be sure not to leave computers exposed and destroy all hard drives using professional services. Physical security breaches can be avoided by encrypting hard drives, leveraging cloud backups, and enclosing hardware ports exposed to the public. Employing theft recovery software, checking door locks and cameras, and properly disposing of shredded paper also help.
Wi-Fi Protection– Wireless internet can also pose a threat. Wi-Fi signals can extend beyond office walls. A bad actor can connect to your signal from far away and infiltrate your network where they can steal files containing proprietary or personal information. Businesses should employ WPA2 (Wi-Fi Protected Access 2) protocols as they are safer than the old WEP (Wired Equivalency Privacy) or WPA (Wi-Fi Protected Access) protocols. Ensure your router has a strong, unique password that is not easily guessed.
Password Protocols– Passwords should be changed often and kept private. Train employees on this and teach them that the strongest passwords include uppercase and lowercase letters, numerals, and special characters. Additionally, passwords need to be different across all accounts. The best way to remember passwords is to use a password manager. There are some free password managers available but the most secure ones typically charge a small annual or monthly fee. Most also allow businesses to sign up for a membership that covers all employees.
Two-Factor Authentication– Even with difficult, unique passwords on every account, seasoned hackers can often penetrate security. As a backup, it’s best to employ multifactor authentication wherever possible. Most large companies use it including Apple, Google, and Dropbox. Using a mobile number and/or email account, multi-factor authentication provides an added level of security. Your business can also implement it with other applications and services as well. New technology such as facial recognition, fingerprints, and/or ultrasonic sounds are on the near horizon and companies should prepare to employ more secure technologies as soon as they are commercially available.
Email Security– This is the most necessary asset for your business to protect. Once in your email, hackers can reset passwords and wreak all types of havoc so be sure to prioritize protecting company email. Never click links in emails or attachments from untrusted or unknown sources as these could take you to a phishing site that looks like a real website. Using Google Gmail and Google Apps is recommended given they have the best spam, virus, and phishing protections available in addition to multifactor authentication already built in.
Anti-Virus– Keep your anti-virus updated at all times. While this helps protect your email and other sensitive information, new malicious viruses are always being created. That means anti-virus companies are always updating their software to address the threats on their “blacklists.” Consider using a service that employs a “whitelist,” which only allows software and programs that are pre-approved to be downloaded adding extra security to your network.
If you need assistance with conducting an IT audit, crafting an IT plan or WISP, or implementing your plan, contact Oram Corporate Advisors today at (617) 933-5060. You can also reach out to us online. Our professionals are always here to support your business with superior IT and IT services.