By: Rogers Cybersecure Catalyst
Cybersecurity still operates in a mysterious space for many organizations. All layers of an organization, owners, executives, senior managers and other team members, struggle to determine their role in defining cyber risks as well as the overall Cybersecurity framework within their organization. Far too often, discussions on cyber threats and risks get relegated to those who are responsible for IT operations. This is partly rooted in the misconception that cybersecurity is an IT issue. It is not! Cybersecurity is a business issue; ‘Cyber risk’ is a convenient way to categorize an array of internet-enabled threats that directly translate into operational, compliance, financial, reputational and/or personnel risks. Fundamentally and at the start, this is not a technical discussion, but rather a discussion about business operations and business risk. There are two critical questions that every business owner should address before discussing cybersecurity solutions which will assist them in ensuring they take the right approach to protecting themselves.
The first is, ‘what do I need to protect?’ We need to start by identifying and doing an inventory of the critical business information and information systems that we believe are essential to business operations. A great way to explore this question is to consider the potential business impact a compromise of your business information or information systems would have on your operations. This includes the consequences of unauthorized access, disruption, loss, theft, manipulation, misuse, or destruction of data or systems upon which you your business relies. For example, what would happen if intellectual property, confidential business exchanges, personal employee or customer data were exposed? What would be the impact if you had an unexpected outage on a key business system? Identifying what is critical to your business can help you determine what the impact of a compromise would look like. This will further bring clarity to what you need to protect and help develop the foundations to understanding how you can protect it.
The next question is ‘what or who am I protecting my business from?’
To build on the responses from the first question, this step helps identify the types of protections, and the degree of protections needed to shield information and information systems from threats to your business. When identifying threats you should not only include cyber criminals that may hack into your systems to access information, steal data or install malware. Other forms of deliberate threats should be evaluated and also taken into consideration as they hold the potential to compromise your day to day operations or the information architecture upon which your system relies. For example, what is the likelihood of a deliberate ransomware attack on your business? What is the potential for an employee to accidentally leak personal client data or unknowingly violate a security protocol? What are the possibilities of a business system disruption due to a natural disaster? Understanding the nature of the threats and the likelihood of their occurrence can help bring greater focus and clarity to discussing the types of protection and the degree of protection that your business needs to help mitigate such cyber threats to your business. Answering these two key questions will help you have an informed discussion with your security team or security provider on how to protect your business from cyber vulnerabilities. It will help prepare a framework of technical and non-technical measures (security controls) that you need to implement to effectively manage your cyber risks.
While it is always a good idea to invest in your cybersecurity infrastructure, cybersecurity does not always require a substantial investment in time, money and resources. There are simple steps you can take to ensure that you maintain good cyber hygiene within your organization.
1. Educate your team – Ensure that your team is aware of their responsibilities to protect information and information systems and the ways that a breach can occur. Educate them on good cybersecurity practices and ensure they follow them in their work environment as well with as their personal devices.
2. Use Anti-Virus protection tools and a firewall – Configure your antivirus properly. Use internal and external firewalls at work and provide the option of supporting your employees with firewall softwares for their home networks.
3. Develop and enforce good password practices – A large majority of threats start with something as simple as poor password management. Develop a password policy and ensure employees change their passwords frequently. Use multifactor authentication where possible.
4. Regularly back up your data – This will ensure that any data you lose during a breach can easily be recovered.
5. Perform regular audits – Consistently perform checks on your technical infrastructure to ensure you are following cybersecurity best practices.
6. Be aware and be ready – Having a formal security policy alongside a cybersecurity incident response plan to help you identify, manage and respond to that threat much quicker.
Small businesses can be easy victims to cyber threats but they don’t have to be. Protect your reputation and your business operations while limiting the potential for crippling financial losses by ensuring cybersecurity is a top priority within your organization.
(Authors: Randy Purse CD, PhD, CTDP and Sumit Bhatia)