By Kyle Paalman
As Vice President of Finance for NuWave Technology Partners, I don’t know where I’d be without a solid team of IT professionals and healthy IT infrastructure—a critical combination to ensure my financial systems are simple, secure and reliable. Having my financial data readily available from anywhere at anytime, while keeping it secure, is essential to the health of our business…not to mention my own mental health!
Many facets to building and maintaining a strong and healthy network infrastructure come into consideration to support the financial systems and financial data. To simplify this at NuWave, we boil it down to several strategic priorities:
-
Planning and Budgeting
-
Healthy Infrastructure
-
Quality IT Systems
All six strategic priorities need to be in place, but for this article, I’ll focus on planning and budgeting and security. Planning and budgeting, because they are the main effort that will have the greatest influence on your posture and future. Security, because it’s essential to protecting not only your financial assets, but also the one asset that is priceless: your data.
Identify the Risks
I’ve found that planning and budgeting for IT is the single most important activity that assures we have and maintain a healthy infrastructure. The plan and the budget give me a road map and schedule that is predictable, greatly reducing emergency spending and the lost productivity while systems are down. I have found creating a plan and sticking to the budget to be less costly in the long run and greatly contributes to my IT peace of mind.
The foundation of a healthy infrastructure includes implementing quality systems, maintaining manufacturer’s warranties for critical systems and keeping up with both current operating systems and current security patches. Not only is this critical to assuring my financial systems and my financial data are available, but it’s the bedrock in securing those financial systems and financial data.
The plan to secure your systems and your data starts with assessing the current state of your IT systems. Identify what data is most valuable, where it’s located, how it is secured and how it is backed up. Thinking about who could benefit from having this data and how it could be used might help to identify what data is invaluable to your organization. Customer data, sensitive account information and personal data (yours and your staff) will likely rank at the top of the “invaluable” list.
Know Your Risks
Once you’ve identified the risks, it’s important to gain knowledge about the risks and any regulatory compliance requirements within your organization, as well as within your industry and your supply chain. Although managing risk for regulatory compliance may not be required for many businesses, the practice of understanding and managing risk is key for any business.
Counter the Risks
As with any asset, consider your return on investment. The costs should be reasonable and in line with your business to ensure there isn’t any loss in productivity and efficiencies. Keeping this in mind will help to balance the best protective and corrective actions. Here are some simple steps any small business should implement:
-
Create a culture of cyber security awareness throughout the organization. Staff in every part of the business can help protect the organization when they are aware of the risks. Provide safe channels through which they can report suspected threats.
-
Publish an acceptable use policy (AUP) to help employees understand the requirements and expectations for maintaining and securing company assets, systems and data.
-
Design and implement cyber security awareness and education programs to keep cyber security issues top of mind for the entire staff. Statistically, the human factor represents the greatest vulnerability to data breaches and ransomware attacks through various phishing attacks. This includes maintaining a high level of physical security, especially monitoring high security areas, such as data closets. Employee training and awareness programs should include the review and sign-off on the company AUP.
-
Implement and require passwords and password policies to access valuable data.
-
Conduct background checks on new employees and on employees newly transferred to IT functions. Verification of education and work experience, as well as a criminal background check, should be part of a comprehensive security program.
-
Identify and understand the security posture and policies of your suppliers and vendors that are in your electronic supply chain. This is especially important with companies and individuals that are outsourced prior to contracting with them and holding them to the standards in place internally.
-
Establish secure data-destruction processes for computer hardware and peripheral equipment. Ensure hard drives are encrypted and install remote wiping programs on all electronic devices, such as laptops, tablets and cell phones.
Responding to a Security Breach
Cyber security breaches can cause extensive damage and include more than just monetary theft. Having a response plan in place before a breach is the first step in preparing for an effective response. Knowing what your insurance policy covers will help assure that all reasonable incidents are covered. Not all cyber security insurance policies or insurance riders are equal. Understand what your company’s policy covers and make sure the coverage is appropriate given what’s valuable and at risk in your company.
Finally, in the event of a breach, react quickly and efficiently. Report any cyber attack attempts to law enforcement. The faster you react, the higher the chance of recovery, if there is a loss.
Without a doubt, IT is critical to the health of my financial systems and my invaluable data, but when I really boil it down, security is a business issue not a technical issue.
Kyle Paalman is the Co-Founder of NuWave Technology Partners and currently serves as the VP of Finance and Administration. In 2005, NuWave was started with a focus on being a trusted partner for organizations looking to find an IT company that could take care of all their technology needs.