Hoping to fly below the radar of cybercriminals is not an effective cybersecurity defense strategy. The value of digital assets and information can, and does, exist independent of a business’s size or revenue. From company or customer credit card data, banking or other financial information, to personal health-related records, company trade secrets or work product: if there is a business imperative – or legal or compliance requirement – to keep information confidential and secure, it holds value and your business should protect it.
However, many businesses do not understand the threats they face, the data they possess, how their employees, customers and vendors interact with tha data, or the tools needed to defend against cyber threats. Large companies may have greater resources to defend against and respond to a data breach when it occurs, but are small and mid-sized businesses adequately prepared? Small and mediumsized businesses need a set of tools they can use to defend against cyber threats – a cybersecurity tool kit.
CYBERSECURITY COMPANY POLICY DEVELOPMENT
Whether they know it or not and whether they want to or not, every employee guards virtual doors through which cybercriminals are waiting to be let in. Your employees must understand your company’s cybersecurity policy. Your company can do that by creating policies that are clear, not too dense and long, and are regularly updated. Good policies should also strike the right balance between being unnecessarily restrictive of employee creativity and productivity and security.
WHAT SHOULD BE IN THE CYBERSECURITY TOOL KIT?
No. 1 – A Privacy Policy. If your company collects electronic information from customers, a company privacy policy is a pledge to your customers about how you will use their data and how you will protect it. Customers need to know your company understands its legal obligations to them with respect to data privacy. If your company operates in regulated industries, such as health care, telecommunications, or financial services, there are special laws that apply to your business about handling customer data (i.e., the Health Information Privacy Act (HIPA) or Sarbanes Oxley (SOX)). If your business does not operate in a regulated industry, your business needs to assure its customers that you understand their expectations about handling their data and that you have made their privacy a priority.
No. 2– Assign Roles and Responsibilities. Cybersecurity is not just something you delegate to your IT professional. Everyone in your company has a role to play in protecting company data. Your IT professional should of course have a thorough understanding of cybersecurity threats and must be able to advise and implement technological tools to protect your business (i.e., data back-up, firewalls, etc.). However, there are cybersecurity responsibilities that likely fall outside of the bailiwick of your IT professional. Cybersecurity professionals speak of “layered security.” Th at concept encompasses an axiom of cybersecurity planning: the more sensitive the data, the more restricted the access should be. It makes sense for many businesses to take an inventory of the kinds of data it collects and stores. Once this is done, assign responsibility and access rights to the different types of data based on the level of sensitivity of the data.
No. 3 – Acceptable Use Policies (AUP). “Acceptable use policies” set your company’s expectations with employees on how they handle certain workplace technology, interface with the Internet and control physical access to entry points into your company’s network. Instead of one long AUP, consider drafting several “bitesized” AUPs. Your company should have AUPs for: email usage, mobile devices, Web browsing, social media, remote access to the company’s network, use of removable media and telephone usage. Th e currency of most cybercriminals is trust. Th e successful cybercriminal engages in “social engineering” to try and win your trust – for example, by making that phishing email appear to have come from a trustworthy source. Your company needs to train its employees on how to recognize and avoid these threats, and it can do so, in part, through a comprehensive set of AUPs.
No. 4 – Physical Workplace Security Policy. Because cyber crimes occur via the Internet, physical workplace security is oft en overlooked as a point of vulnerability. Your company should have a policy that establishes expectations about physical securing of laptops and mobile devices, positioning of desktop screens (away from public spaces), document retention, organization and securing of printed materials containing sensitive information, trash removal and shredding, the need for security cameras, door locks and alarm systems.
No. 5 – Passwords and Encryption Policy. One of the drudgeries that accompanies the cybersecurity era is the need for encryption and passwords. Who hasn’t cursed the forgotten username or password? Sadly, password management is now just something that has to be done – like doing the laundry. However, a thoughtful password and encryption policy can systematize password and encryption management practices for your business. By applying the sensitivity/ security axiom explained above, different levels of password security and encryption can be employed to make it less hassle to access less sensitive data.
No. 6 – Insurance. No matter how robust your cybersecurity tool is, no company is impermeable and where there is risk, there is insurance. Your company should understand whether and to what extent its insurance policies cover cyberattack incidents and damages caused. Many insurance companies and professional firms will provide cybersecurity risk assessments. Some insurance companies are also now offering cyber insurance policies. Cyber insurance is still in an incipient stage of development. Many questions remain about premium amounts, underwriting risk, coverage, government regulation of cyber insurance products, liability limits and overlapping coverage – all of which point to a larger question for small and medium-sized businesses of whether purchasing a cyber insurance policy is worth the money spent on premiums. Small and medium-sized businesses should understand what their existing insurance policy covers, ask their carrier if they off er cybersecurity risk assessments and then, evaluate the cost-benefit of cybersecurity insurance.
No. 7 – Incident Response Plan. If and when your company is the victim of an attack, your company should have a plan in place for how to respond. Seth Northrop, an attorney at Robins Kaplan, wrote a great article on this topic in the April issue of Attorney at Law Magazine and we refer you to it for a primer on developing an incident response plan.
No. 8 – Training. Last and definitely not least – the best laid plans are worthless if employees are not trained to follow them. Every company should invest in cybersecurity training for its employees. According to IBM’s 2014 Cyber Security Intelligence Index, human error was a component of 95 percent of all security incidents. Employee training should be comprehensive and thoroughly address all of the subjects discussed in this article. Training should occur annually and training materials updated regularly.
The threat posed by cyberattack is very real for today’s businesses and it is proliferating and constantly mutating. Small and mid-sized businesses are not immune from hacking, data loss or security breaches. By taking proactive steps to develop and implement cybersecurity policies, plans and practices, small and medium-sized businesses can develop a toolkit to manage and mitigate their risk.
Tony Mendoza