Cybersecurity: Actionable steps to protecting your data
By Ben Hunter
We discussed the importance of creating a culture of cybersecurity in your company in a previous article, “Cybersecurity: Why should you care?” Now, what steps should you take after you have leadership on board with upping your security measures?
Using a top-down approach to implement new cybersecurity standards, here are actionable steps and considerations you should be taking when evaluating your approach:
1. Start developing a plan to prepare, prevent, and respond to cybersecurity threats. Focus heavily on prevention. You should have a thorough incident response plan, but prevention should be your first line of defense.
2. Utilize Multifactor Authentication (MFA) across all company platforms. MFA significantly reduces ransomware attacks.
3. Maintain proper backups offline. Consistently test and validate your backups to ensure they will work when you need them to.
4. Determine the decision-making process for dealing with ransomware. You need to know who in the firm has decision-making authority to pay the ransom or pull the plug on a device when a situation arises. Consider when you will call the FBI to aid in the decision-making process.
5. Educate marketing and PR departments on how to communicate situations or threats. It is important that they are trained ahead of time in the event that a serious situation arises.
6. Create a training plan for new and existing employees. Cybersecurity procedures should be enforced as soon as new employees are given access to any company networks. Spend adequate time training them on what to look out for and who to alert of any issues. They should be trained on using MFA and other systems such as a password manager.
7. Develop a procedure for exiting employees. Be diligent in removing any and all access to company networks and data.
8. Consider investing in some (or more) cyber insurance. The cost of cyber insurance has been going up, but so have the potential damages when an incident does occur. It is important to determine how much coverage you need, what the requirements are, and what is included or excluded in the policy. Cyber insurance policies have lengthy requirements now, such as MFA, backups, business continuity planning, and more. As a business, these are measures you should be taking anyway. Looking into an insurance application can help get you in check. Some insurance companies will provide a report card for your business to let you know how you are doing. Your policy may even include a cyber coach that you can engage with at no extra charge.
One thing to note: Your claim could be denied, and your coverage canceled if a cyber-attack happens because of something you misrepresented in your application. If a policy requires MFA and you only use MFA in one area of your business, find out what qualifies.
9. Hire a cyber lawyer to guide you through notifying key parties of incidents.
10. Decide if a Chief Information Security Officer (CISO) is right for your company. A CISO can set the strategic management of cybersecurity risks and incidents but is typically found in larger companies with higher budgets. If you are a smaller company, you may want to consider contracting out a virtual CISO (vCISO) to help. A risk assessment can be used to make the determination.
Cybersecurity is not a business problem, but a business risk. These actionable steps and considerations will help you and your organization to manage the business risk of cybersecurity.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]
The information contained in this article is for informative purposes only and should not be relied on when making any business, legal, or other decisions. This information may be updated without notice and/or may not contain the most current information that is available related to this topic. Please consult with your advisor to determine how this information applies to your specific facts and circumstances.