Corporate leaders often ask me, “What do we need to do to protect our data, our clients’ information and our brand against hackers and cyber criminals?” Naturally, there is no quick or simple answer, no magic, one-size-fits-all solution. From the simplest of business models to the most complex, each and every client has unique cyber security needs, risks and resources.
To Keep Business Data Secure and Counter Cyber Criminals, Follow These Steps
Most organizations entrust their IT department to protect the network, servers, storage and computing devices. Sometimes, this can be the way to go. In most cases, though, it can lead to unnecessary spending on technology and services chosen to – at least theoretically – develop a baseline technology footprint against threats such as front-door attacks, a popular cybercrime tactic in years past.
The problem? Cyber criminals adapt. Knowing the front door is often fortified, these attackers now look for other, more sophisticated means to gain access to unauthorized data. To keep business data protected, corporate leadership should follow six critical steps (IMETAR): (1) Identify risks, (2) Mitigate them, (3) Educate, (4) Test, (5) Audit, and (6) Repeat!
- Step 1 – Identify risks. Create a risk matrix identifying all of the external and internal threats that can adversely affect your business. These can range from natural disasters and man-made interruptions to insider threat and phishing.
- Step 2 – Mitigate them. Map the mitigation and business continuity strategies for each of these identified risks. Focus in particular on the gaps where there is no plan of action to mitigate the risk.
- Step 3 – Educate. Organizations need to assure that employees and vendor partners have a clear understanding of their roles and responsibilities for information security – and then provide training on protective actions to advance data safeguarding. Training should incorporate real-world examples and policy review. It should emphasize comprehension and implementation, and it should be revisited continually.
- Step 4 – Test. Any mitigation strategies that are implemented need to be tested. Testing can include internal and external penetration or vulnerability, social engineering and disaster recovery. You may have to modify your risk mitigation strategies based on the outcome of the testing process. In most cases, when a test identifies weaknesses, you’ll need to return to Step 3 to educated people on the changes you implement and adopt those changes.
- Step 5 – Audit. Perhaps the most difficult step in this process is auditing, something none of us generally look forward to. However, an external review of your business’s information security program can bring major value to process and procedure improvement. Internal staff are generally focused on day-to-day activities. The practice of auditing – over time and with repetition – provides repeatable information security improvement avenues for all members of the organization. In other words, it gets easier with practice.
- Step 6 – Repeat. Cybersecurity isn’t a one-and-done endeavor. It takes continuous commitment from all levels of the organization to maintain a strong information security program. Therefore, it’s essential to review, update and act on identified improvements on a defined, cyclical basis. Some of the tasks, like Steps 1, 2 and 5, can be completed on an annual basis. Steps 3 and 4 should, on the other hand, should be conducted on a more regular basis. You may find it’s best for your business to conduct some tasks monthly and others quarterly.
Become Engaged in Your Company’s Information Security Program
Too often, measures to protect organizational data are overlooked, or it’s taken for granted that they’re being administered correctly. To confront cyber threats proactively, organizational leadership needs to take a holistic view of cybersecurity and invest in mitigation strategies. That includes technology, personnel and services.
To protect your business against compromise, I encourage you to become engaged in your organization’s information security program. Adopt proven policy, procedural and technology models that provide the agility and flexibility required as your business – and cybersecurity issues – evolve over time. When questions or concerns arise, look to industry leaders for assistance.