There’s no ‘one size fits all’ for cybersecurity
May 22, 2018
By Mark Davidson, TGG Solutions
When you think about “cybersecurity” what do you think about? Chances are you think about firewalls, anti-virus software and email anti-spam solutions. Technology alone cannot protect you from the varied cyber threats that your small business faces. You need a risk-based holistic approach that considers technical, physical, operational and most of all human factors. Most of all, you must gain buy-in from executives and management, because without it associates will not buy-in as well.
Below are some of the key items you should consider when building a cybersecurity program:
- Monitoring, auditing and creating internal reporting systems provide proof of what you are doing and allows others to report issues they see.
- Controlling access removes some of the human risk. Provide the least amount of access necessary to networks and applications.
- Maintain physical and environmental security by implementing a security system including ID badges and locked filing cabinets.
- Conduct asset management – know what you have, what is stored, how you should use it and how you should dispose of it, such as a shredding service.
- Create standard policies and operational procedures. These help set clear guidelines of what cybersecurity is and how processes are handled within your organization. Define duties and routinely review it so the information stays relevant.
- Implement an incident response plan – a plan for what you do if your information is compromised.
- Conduct risk management – understand what risks you have, what risks you are okay with and what risks you are not okay with. Then, create a plan on how to correct these risks or add controls around these risks so they become acceptable.
- During the onboarding process, make sure to conduct a thorough pre-screening of potential employees to limit hiring a potential risk.
- Create an acceptable use policy (AUP) that employees agree to for access to a corporate network or the Internet.
- Be willing to discipline or terminate employees who do not follow the AUP or meet your cybersecurity standards.
- Communicate with your employees often about the risks of inadequate cybersecurity.
- Conduct training, roundtables and open discussions with cybersecurity experts so your employees feel more empowered to speak up when they see something.