4 Non-Technical Steps Every Company Should Take
With the rapid succession of recent attacks including the Colonial Pipeline, the JBS USA Meat Co, the Republican National Convention, and Kaseya (used by thousands of MSPs similar to Upward), every company in America is on heightened alert that this threat is very, very real. In fact, in a recent survey with top banking execs conducted by Deloitte, cybersecurity was listed as their #1 concern, ahead of labor challenges, inflation, climate change, tax reform, and all other issues.
For small and midsize businesses, the challenge and risks are quite clear, but the path to mitigation is not. In this article, we intend to lay out four critical, non-technology steps every company should undertake to help protect their business.
Build a Cyber Governance Team
Cybersecurity is not an IT issue, it is a business risk issue. If you leave the responsibility of protecting your company solely to your IT department, you will fail to protect your company. Formal or informal, the first thing every company must do is elevate the discussion and bring the broad and varied risks into the light. Owners, executives, and managers should build a cadence to meet on a regular basis (once a quarter at minimum) to review the threats (which, if formally organized, is called a Risk Register) and determine the priorities for investing in protecting them. If you work with an outsourced firm for some or all of your IT support, you can rely on them to bring key insights and/or lead these meetings.
Develop an Asset Database
If you don’t know what is there, how can you protect it? A key and often overlooked initiative is to identify all hardware and software assets used by your company. You will almost certainly be surprised by the breadth, variety, and sprawl of the software and hardware your team actually uses. By building this database, you will provide your company with a baseline to begin creating policies, and to respond surgically if there are exploitations or breaches with any of the solutions you use. For instance, if you found out DropBox was breached tomorrow, would you be able to quickly identify which departments and users utilize that solution and what data may have been compromised?
If you utilize an IT firm, chances are they have advanced software they can use to expedite this process.
Once you have gone through the asset database process, you will be able to come to terms with the expansive footprint your company has established and begin culling and consolidating systems. This will have the dual effect of both reducing the surface area of your target, and forcing conversations around standardization. Sure, your graphic designers may love Corel, but your firm has chosen the Adobe suite, so the designer will need to adapt to InDesign. These discussions are a healthy maturation process, as additional systems create more overhead, more risk, more disparities between departments, and more costs.
Policies are a prerequisite to almost all IT changes, as they make explicit the intention of the organization. They explicitly draw boundaries and guidelines that all stakeholders can take action against. Some criteria for a healthy set of base policies:
- Identify stakeholders and their responsibilities
- Inform every employee of what is allowed and not allowed in the environment
- Describe the different types of data in use, and what is allowed to be done with them
- Relay the consequences of deviating from the policies
- Provide guidance about the specific catalog of systems and applications (by name) that the organization allows
Develop a Training Program
As the news corroborates of late has made clear, new risks and exploitations are discovered every day. According to the Washington Post, total losses from cybercrime activities are expected to have reached $1 Trillion in 2020. One thing this startling statistic should tell you is that no matter how much you spend, there will always be a new risk and a new threat you are unprepared for.
Human intelligence becomes your final (and in many ways best) line of defense. Awareness, caution, diligence, and consistency are traits that can be cultivated and coached through a concerted cybersecurity awareness campaign. Powerful software exists that can automate much of this critical learning; your IT partner should be able to provide you with an action plan. In any case, even informal lunch and learns can make significant headway simply by training users on the fundamentals and telegraphing the importance to the organization.
A well-informed user population will be much more likely to have “a hunch” about a suspicious email, to pick up the phone before changing wiring instructions, or avoid clicking a link from an unfamiliar email sender.
If you are behind on any of these four initiatives (you are in good company) and we would be happy to help you catch up. The future of your company may rest on your willingness to invest in proactively avoiding a breach. Don’t be a statistic.