Being informed on cyber security is a subject all companies should be ready to address. It is an important matter that focuses on protecting your companies’ digital assets.
Cybercrime is on the rise and industry regulatory organizations are setting up bigger fines for violations of privacy, unsafe data sharing, and data storage solutions that feel like a liability. A single incident could cost millions of dollars. For many small- to medium-sized business owners, that means it could end your business.
A study by Keeper Security, found that most companies with 500 or less employees completely lack a cybersecurity team and fail to have an active incident response plan in place.
“In fact, only 7 percent of SMB CEOs feel they will be hit with a cyberattack, even though 67 percent of the businesses were targeted last year,” say the masterminds at Keeper Security.
Even worse, in a survey conducted by Keeper security the results show that:
- 60% of respondents said they do not have a cyberattack prevention plan.
- Only 9% of the business surveyed rank cybersecurity as a top business priority.
- 18% ranked cybersecurity as their lowest priority.
- 7% of CEOs, corporate chairs, and owners say a cyberattack is very likely, and nearly half (43%) of them say a cyberattack is not at all likely (higher than any other management group surveyed).
Even if risks are present and known, it appears that there are no known solutions for these threats. As a result, even though cybersecurity can be a priority, it is not often that companies find solutions for their challenges. So, what is the best way to handle these challenges?
How do I Put a Cyber Security Plan Together?
A Cybersecurity plan is primarily a roadmap. For what? For circumstances in which you cannot sit around to think and must act fast.
For example, a disgruntled employee who got fired earlier in the day, goes to social media and reveals sensitive information. Or, another employee gets an email, opens it, and it turned out to contain a virus. Even worse, they download something from an untrusted site and the information in the computer gets ransomed. They may even already have accessed your internal network. What do you do then? Each second that goes by triggers bigger and bigger risks.
In all these situations, what is best is to know exactly what to do. So, if situation ‘A’ were to happen, you would have a plan to face it. Same with scenario B. Or if your entire net gets ransomed. You have a piece of paper that tells you:
In Case of Ransom Follow these Instructions.
The first step in creating your cybersecurity plan should be a survey on your security practices. What are people doing to be safer when they are online? How do they transport or exchange information? Those are just a few questions you should ask and find answers to.
Secondly, you should start setting down rules in what regards to “common practices” and have every employee and associate know that if they are on your systems, they should ‘behave’ in the following manner:
- Do not open emails from untrusted sources or if anything feels fishy. It is a risk and chances say it will transform into a problem.
- Do not share passwords for personal or work accounts.
- Do not access personal accounts at work nor work accounts at home.
- Make sure compliance is up-to requirements in what regards to cyber risks.
- Respect your rank (know what you can access and what you cannot).
To name a few. Finally, there are a series of steps involving said rules that reinforce your security and ensures these rules are followed:
- Establish passwords and levels of access throughout your company. No matter if there are 25 or 250 employees. Not everyone needs to access everything.
- Establish two factor authentications for sensitive information. Everyone involved will receive a notification when someone tries to access said information.
- Make sure every system has their own antivirus software, anti-spyware and anti-malware with their licenses up to date, and their data base update.
- Move to the cloud and encrypt your files.
- Create restrictions for employees not to use physical media, such as external hard drives or flash drives.
“You should consider that if you do not have an in-house IT team that can discuss a cybersecurity approach, you should consider the chance of hiring a third-party provider, since cyber security is an ongoing job and it requires constant updates on all fronts.”
Security Is Taken Care of, What Should Come Next?
You have updated your antivirus software and so on. Everyone knows what and what not to do. Is it all over? No. Not even close.
After you have checked your security status and made updates to it there is still the risk of “not knowing.”
Being unaware is a major player in cyber liability. That is why, the next step should involve Cyber security training. This is your first line of defense: your employees. Remember that in all the examples someone hacked into a network and if your network is secure than someone must open the door for a breach to occur. That is why your employees should know what constitutes a red flag in cyber security and why they should never download ‘that fun emoji’ on their office computer.
The second step to ensure that security becomes a part of your business’s culture, is to Post reminders in shared spaces. Use them to remind employees of their responsibilities involving cybersecurity. Also, to have everyone aware of the best practices and tips to increase their knowledge.
Developing Your Cybersecurity Plan
Now you are ready to start building your cybersecurity plan. What is the foundation of said plan? What are the main aspects you should be looking out for?
- Find Key Assets and Threats.
- Prioritize Assets, Risks, and Threats.
- Set Achievable Goals.
- Document Your Policies.
- Test for Vulnerabilities.
- Establish a period to reevaluate the plan and repeat the process.
Am I Safe?
So, in conclusion, building a cybersecurity plan does not involve you being the absolute king of online security, but with a little bit of best practices, awareness among employees, and common sense, you should be heading in the right direction.
The most important thing to remember is that a cyber security plan is never fully finished as it needs to be re-evaluated over certain periods of time, as pointed out in step 6 “establish a time frame to reevaluate the plan and repeat the process.”
To end this article, it is vital to pay attention to what the Harvard Business Review, is saying about this subject: “The majority of chief information security officers around the world are worried about the cybersecurity skills gap, with 58 percent of CISOs believing the problem of not having an expert cyber staff will worsen.”
A Helping Hand
To help you improve your cybersecurity we have put together these articles referring to the most important aspects of security. You can also download our cybersecurity to-do list, as a template for the instructions you should follow at your organization.