UPDATED MAY 2020
It seems we can’t go more than 24 hours without hearing about the latest and greatest data breach affecting millions. These headlines are worrisome and has lead to many sleepless nights for business leaders at small and medium-sized businesses.
The good news is business leaders can have an immediate and lasting impact on the company culture—but it needs urgency and authenticity to resonate with staff. If the C-Suite is on board with creating and maintaining a culture of security, the next steps are pretty straightforward:
Write and enforce an Acceptable Use Policy.
All employees should know the ground rules for using company computers. Are they allowed to use Facebook? Can they access work email from their home PC? Can they access personal email while on the network? An Acceptable Use Agreement spells out what is and isn’t permissible, and speaks to consequences – up to and including termination – for non-compliance with the policy. The policy should be updated at least annually, and all employees must review and acknowledge the policy.
Document and comply with your internal Information Security Policy.
Which steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data? The Information Security Policy is the document that sets your internal standard for security – for example, it might say that “all employees receive security training twice per year.” It’s then up to leadership to make sure that this policy is indeed complied with. Simply going through the exercise of creating this policy will force your organization to pose, and answer, tough questions.
Write and follow your Business Continuity Plan.
Writing out a documented plan that prepares for the "worst" exemplifies to your clients, employees, and stakeholders that you're serious about maintaining a successful business despite any hiccup that might come along. Knowing how to react to what could be a devastating occurrence allows businesses to maintain client satisfaction and faith in business leadership.
Train your people. Repeat and repeat again.
The Verizon Data Breach Report found that 1 out of every 14 users fell for a phishing attempt. Given the sophistication of business email compromise (BEC) these days, it's no wonder untrained users are often tricked into letting “the bad guys” into your network by clicking on a hyperlink in an email. When was the last time your organization conducted formal security training with the staff? Did you repeat it, institutionalize it, and embed it in your culture? Look for training solutions that promote security awareness within your organization throughout the year. Some solutions offer automated monthly/quarterly/on-demand phishing tests which help keep your users on their toes in between security training sessions.
Adopt a defense in depth approach to security.
No single technology can provide adequate security for your entire network and all your data. To fight today's modern criminal, organizations need various measures to fight different flavors of cyberattacks. It starts with culture, but tools and technologies matter too.
Deploy cloud security tools to protect your cloud-based data.
Tools like Microsoft's Enterprise Mobility + Security suite can be utilized to protect your Office documents, sensitive data, and even other cloud applications that exist outside of on-premises IT systems. The myopic days of focusing on our on-premises IT systems and data are over; it's time to deploy the next suite of security tools to keep our cloud data safe as well.
Creating a culture of security takes work and time. With the right mix of business processes, education, and tools, your business will naturally develop a strong, security-centric culture.
If you'd like to discuss how your business can begin building a culture of security, fill out our form and get the conversation started.
Erik Thomas leads the Advisory Services group at Systems Engineering. Erik has over a decade of experience with IT, application development, and business operations. His group assists clients with the planning and implementation of IT systems, business development, cybersecurity risk assessments, and addressing regulatory compliance for businesses.