The pace and severity of data breaches have cybersecurity professionals on the frontlines in a constant battle of what seems to be an unwinnable war against cybercriminals. The headlines are worrisome and have led to many sleepless nights for executives and IT leaders at small and medium-sized businesses (SMBs). The good news is that leadership can have an immediate and lasting impact on defending their organizations from the enormous impact of a cyber incident. The secret weapon: a company culture focused on cybersecurity – one that puts a priority on operating securely and authentically and resonates with staff.
Creating a culture of security takes work and time; it is a journey, not a destination. With the right mix of business processes, education, and tools, your business can develop a strong, security-centric culture.
Creating a culture of security starts at the top. If you and your C-suite are on board with creating a culture of security, the following steps are pretty straightforward:
All employees should understand and apply the ground rules for using company resources and devices. Can they access work email from their home PC and mobile devices? Can they access personal email while on the network?
An Acceptable Use agreement spells out what is and isn't permissible and speaks to consequences – up to and including termination – for non-compliance with the policy.
The policy should be updated at least annually, and all employees must review and acknowledge the policy.
An Information Security Policy (ISP) is the document that sets your internal standard for security. It might say, for example, that “all employees receive security training twice per year.” It’s then up to leadership to make sure that this policy is indeed complied with.
Simply going through the exercise of creating an ISP will force your organization to pose and answer tough questions.
Which steps has your organization taken to maintain and enhance your security posture? How are you protecting your customer and employee data? Having a documented Business Continuity Plan (BCP) that prepares for the "worst" demonstrates to your clients, employees, and stakeholders that you can maintain operations when faced with disaster.
Having a plan to react in a challenging business environment, like a pandemic, allows organizations to maintain client satisfaction and garner confidence in the organization's ability not just to survive but to thrive.
When was the last time your organization conducted formal security training with the staff? Did you repeat it, institutionalize it, and embed it in your culture?
Verizon’s Data Breach Investigative
Look for solutions and promote Security Awareness Training within your organization throughout the year. Some solutions offer automated monthly/quarterly/on-demand phishing tests, which help keep your users on their toes in between security training sessions.
Fighting today's modern criminals requires various protection measures to defend themselves from different forms of cyberattacks. To manage evolving cyber risks, conduct an annual Cybersecurity Risk Assessment. This assessment takes a comprehensive look at your environment to determine what security controls and practices you have in place and where there are gaps.
In addition, an assessment should tell you the efficacy of each defense measure; you may have bought a security tool, but are you using it to the level your business requires? Armed with this information, your organization will know where to improve, thereby reducing the risk of a cyberattack.