Trying to figure out what Cyber security should mean to you and your company???
Take a look at these questions and see how your answers align with those of our go to resource (and partner) Jeff Miller from Cyberstone.
What’s the point of a cyber security program?
When we say, “cyber security program”, here’s what we mean: Implementing cyber security policies, procedures, and controls in a unified approach to reduce risk to private data and systems. The cost of not implementing a cyber security program in your organization goes far beyond downtime and extends to financial loss, reputation damage, and a loss of employee confidence.
Why is cyber security important for small and medium businesses?
Large companies tend to have the time, money and resources to invest in cyber security. Small and medium businesses (SMBs) generally don’t have a single point person devoted to the organization’s cyber security. SMBs generally lack the knowledge and expertise to ensure that risk is both discovered and addressed. This is why most SMBs outsource the cyber security function to a trusted third party with the certifications, experience and know-how to combat cyber risks. SMBs who don’t outsource this important role are at significant risk of damaging information loss and downtime.
How does a company get started with cyber security when they’ve never addressed it seriously?
To get started with cyber security, companies must understand what data they have, what regulations apply to them and the overall leadership attitude towards risk, cyber security and protecting information assets. From here, the company needs to pick a cyber security framework such as HIPAA, PCI, NIST or ISO that most closely aligns with their goals. Once a framework is selected a gap analysis should be performed. Then the company can proceed with implementing controls to address the unique weaknesses and vulnerabilities that face it.
What is the importance of written security policy?
Written policy is essential to a successful cyber security program. Without it, employees can misbehave and get away with it. Response and recovery times in the event of a cyber incident will be drastically longer. The mindset of leadership will not be set in stone. Policy guides employee behavior, establishes leadership’s attitude toward cyber security and addresses how data is to be stored, processed and protected.
What are some common mistakes made by business owners when implementing cyber security measures?
The largest root-cause for poor cyber security in an organization is a lack of upfront leadership buy-in and identified roles for cyber security. Without top-down buy-in, cyber security simply cannot be effective. Another erroneous mindset is that “I’m in the cloud, so I have nothing to secure”. This couldn’t be farther from the truth! While most cloud applications and environments come with security options, it’s every individual organization’s responsibility to actually configure these options. Additionally, it’s quite easy for hackers to take over online accounts with phishing and brute force attempts. So, every online workflow should be protected by multi-factor authentication.
What is one free, but impactful change companies can make today to skyrocket their security posture?
Eighty percent of Internet traffic is secure (HTTPS) which means your company’s firewall cannot inspect it (since it’s encrypted). This means that 80% of the traffic coming through your firewall into your organization is not getting inspected for malware! It’s simply dubious security to have a firewall and not have it configured to decrypt, inspect and re-encrypt HTTPS web traffic. All business-grade firewalls have an option labeled something like SSL Decryption or SSL Inspection. Work with your IT person or provider to get this turned on so you’re able to inspect the malware that is coming in under your nose.
What’s the most important part of an incident response plan?
The most important part of an incident response plan is not the plan itself, but the actual regular testing, tweaking and discussion of the plan. How can a plan be useful if nobody knows where it is and their role and responsibilities within the plan? Incident response planning should be an ongoing, yearly exercise with actual testing of the plan performed at least once a year. Additionally, incident response isn’t just an IT issue. It’s a business issue that affects all departments, and in many cases third-parties such as legal counsel, PR, and third-party hardware and software vendors.
A big thanks to Jeff and the team at Cyberstone for helping us put this post together.
For more information about how Cyberstone can help your organization navigate the elaborate labyrinth of cyber security please contact HEARTLAND, or your Heartland Sales Rep directly.