Cyber Defense: Developing a Program to Protect Your Business
In the span of a few short years, cybersecurity has transformed from an aspiration to a necessity. No longer the purview of just the IT department, business executives are being asked to develop and implement cybersecurity plans to defend against the ever-changing cyber threat landscape. The job may seem daunting in light of the technology involved in this emerging area of risk management. But the basic premise of cybersecurity is no different than that of home security. In each situation, five fundamentals must be addressed to create a strategic action plan to protect your valuables.
- Know Your Assets and Prioritize Them
What do you have, what do you want to protect, and where is it? If your house catches on fire, you save your family first, then grab the jewelry and the wedding album. But you leave the junk mail on the kitchen counter.
Similarly, you must understand your organization’s assets to decide what is worth protecting. This can include intellectual property, client files and employee insurance data. The information can be located on servers, in the cloud, or with third-party vendors. The starting point to developing a cybersecurity plan is to create a data map that catalogs the types of information your organization collects, the location of stored data and who is responsible for it.
- Know Your Vulnerabilities
Burglars enter through access points: windows and doors. And if your property is worth enough they may try the skylight too.
In the cyber realm, hackers can intrude from the outside via the internet, email and cellular networks. But data can also be breached by an employee losing a laptop or using a thumb drive that contains malware. Speak with your IT professionals to fully understand all of your organization’s access points: how data is collected and transmitted, where it is stored and with whom it is shared.
- Safeguard Your Valuables
Protection must be comprehensive. You install a lock on every door and window. You repair broken fences. You double secure your jewelry in a safe in case an intruder actually gets in. And your favorite sister has a copy of your wedding album to replace the original if it is ruined.
Securing company data is no different. Require employees to develop strong passwords. Limit access to the Secret Recipe on a need-to-know basis. Protect against viruses, spyware and other malicious code by installing software that is readily available from online vendors. Configure the software to install updates automatically, which is critical because companies develop patches and revisions to correct security problems on a regular basis. Secure your network by using a firewall and encrypting information. Hide your Wi-Fi network by configuring your router not to broadcast the network name, and password protect access to the router. Backup critical information automatically if possible, or at least weekly to help restore a server crippled by malware. Important data can include documents, databases, human resources files and accounts receivable/payable files. Store the copies either offsite or in the cloud.
- Make a Plan and Prepare for the Worst
Protection requires everyone to know the rules. Don’t open the door to strangers. Don’t give personal information on the phone. Meet at the oak tree if the smoke alarm sounds. Practice makes perfect, and fire drills are priceless when it’s time to react to a real emergency.
The same holds true when educating employees. Don’t open phishing emails. Don’t divulge passwords or company information. Do call the IT department immediately if you suspect there is a problem. Establish policies on how employees should handle and protect company data and clearly outline the consequences of violating the policies. Engage employees in table top exercises to practice what they’ve learned.
- Shift Risk
Even the best security can be breached. That’s why you have homeowner’s insurance, with a specific rider to replace the jewelry that was stolen along with the safe. And when you hire a plumber, you make sure he is bonded and insured so you’re not paying for his mistakes.
Cyber insurance is a similar necessity. Like homeowner’s policies, separate riders must be considered to guarantee complete protection. Third-party vendors should be scrutinized and obligated to adopt your company’s security measures and maintain adequate insurance of their own to protect your organization in the event of a breach.
Once you’ve gained a thorough understanding of these fundamentals, you are well on your way to drafting a strategic cybersecurity plan to protect your business. For a more comprehensive guideline, consider the FCC’s Cyber Security Planning Guide, which can be accessed at: https://transition.fcc.gov/cyber/cyberplanner.pdf.
Tammy B. Georgelas is a cybersecurity and litigation attorney at Parsons Behle & Latimer based in Salt Lake City. She advises clients on data security, breach prevention, information security policies and response strategies including compliance with state and federal laws.