Cybersecurity is a hot topic these days, filled with scary stories and about 10,000 acronyms. Every day we hear about breaches, stolen data, and companies being held hostage by ransomware. And while most businesses take basic steps to protect themselves, many operate under the fingers-crossed, we-are-too-small-of-a-business-for-anyone-to-bother-with-us mentality, which is exactly what those bad guys want.
Don’t help make it easy for the bad guys to infiltrate your business. Put a comprehensive security risk assessment and business continuity planning on your list of Must-Dos for 2021. Join us over the next few blogs as we discuss steps businesses can take to prevent, prepare for, and recover from, a security breach.
First Steps: Knowing and Understanding Risk
Your business is at risk every minute of every day. But before you close up shop and open that tiki bar on the beach (which, by the way, will need secure credit card machines and WiFi – there’s no outrunning cybersecurity), take some time to evaluate your current business’ risks and what you can do to safeguard yourself and the company.
It’s Time to Analyze
Mitigating risk is a matter of understanding the whos, whats, wheres, whys, whens, and hows of your company business.
Who? The who includes all the people who come in contact with your business. From the CEO to the HR Manager, right on down to Larry the UPS guy, a lot of people touch your business every day. The roles people play within your business are also part of who, such as who handles new employee setups and who opens the mail? So Betty might be the answer to both “Who is our accounts, receivable person?” AND “Who signs for packages?” Also, “Who gets called in the event of a breach?” should be high on your list of questions.
What? What are you protecting? Physical data? Electronic data? Your collection of Pink Floyd albums still in their plastic wrap? And what systems do you have in place? Locked doors? Key card access? Firewalls? Razor wire?
Where? Where are those albums stored? How about the passwords to key accounts? Where is your data stored? Is it locally stored, on the cloud, or maybe both? Where also includes the places from which work is conducted. These days that might include Judy’s kitchen table, Justin’s garage, and the backseat of Betty’s old Volkswagen, as well as the main office.
Why? Why is your data stored the way it is stored? Why do you have the processes and procedures in place that you do? Why have you chosen the IT equipment that you use? Why does Betty need access to the main client database? Why do you allow the mailman into your breakroom? Why is the CFO exempt from security awareness training?
When? When might seem like an odd consideration, but in looking at your potential risk, you need to factor in things like: When does my business operate? When is it the busiest? When are people the most frazzled? When do people access data? When are security updates installed? When do we do trainings?
How? How is your data accessed? How is it backed up? How do you do security updates and patching? How often is your technology equipment refreshed? How do you handle terminated employees? How will your team react to suspicious emails or behavior? How about a security breach? How long can your business be offline if you are breached?
Now Call in the Troops
These are just a few considerations. The list of who, what, where, why, when and how for a business is going to be a lot longer even than little Johnny’s Christmas list. Call together your core team and your IT people, grab a few gallons of coffee and start brainstorming.
Note: Consider including HR, the receptionist, and/or Chuck from the mailroom. These people know an awful lot of what goes on, who accesses the building, and other “gossip” that is actually good fodder for considering potential risks to your business. Knowing that the smokers prop open the back door that’s right next to your network closet every time they go out is information Chuck has and that you’re going to want.
Everything is Entwined
As you work through your lists, you’ll find that many things overlap. For instance, Who includes people, and should cover questions such as:
- Who has access to what?
- Who actually needs access to what?
- Who sets permissions for employees needing access?
And those questions should then lead to things like:
- How often are permission levels reviewed? and
- What is our protocol for validating and/or changing permission levels?
In reality, your brainstorm is going to look more like one of those Venn Diagrams you did in elementary school than a straight-up list. So prop up some big whiteboards, hand out some sticky notes and ban lined notebook paper from the meeting. It’s time for a brain dump.
Don’t worry Type A’s, the bullet-pointed lists can come later.
But, dang it Jim, I’m a Doctor, Not a Tech Nerd
We get it. You’re the office manager of a company that makes widgets. How are you supposed to know if you’re asking the right questions when it comes to security and other IT-related issues?
Luckily for you (and Jim), we are tech nerds. And we know our stuff, just like many other security-loving guys and gals out there. If security isn’t your passion, hire someone to help you. Sally may be an amazing CEO, but do you really want her to be in charge of developing a plan for security when her IT knowledge comes entirely from watching The Matrix 423 times?
Yes, bringing in the nerds will cost you some, but in the long run, will likely save you. And, ultimately, saving you and your business is the point.
So put on your thinking caps, grab the comfy chairs and start asking the questions.