stay-safe-with-your-business

Ensuring Your Company's Cybersecurity

Apr 26, 2019

 

Trying to figure out what Cybersecurity should mean to you and your company???

Take a look at these questions and see how your answers align with those of our go to resource (and partner) Jeff Miller from Cyberstone.

What’s the point of a cybersecurity program?

When we say, “cybersecurity program”, here’s what we mean:  Implementing cybersecurity policies, procedures and controls in a unified approach to reduce risk to private data and systems.  The cost of not implementing a cybersecurity program in your organization goes far beyond downtime and extends to financial loss, reputation damage and a loss of employee confidence.

Why is cybersecurity important for small and medium businesses?

Large companies tend to have the time, money and resources to invest in cybersecurity.  Small and medium businesses (SMBs) generally don’t have a single point person devoted to the organization’s cybersecurity.  SMBs generally lack the knowledge and expertise to ensure that risk is both discovered and addressed.  This is why most SMBs outsource the cybersecurity function to a trusted third party with the certifications, experience and know-how to combat cyber risks.  SMBs who don’t outsource this important role are at significant risk of damaging information loss and downtime.

How does a company get started with cybersecurity when they’ve never addressed it seriously?

To get started with cybersecurity, companies must understand what data they have, what regulations apply to them and the overall leadership attitude towards risk, cybersecurity and protecting information assets.  From here, the company needs to pick a cybersecurity framework such as HIPAA, PCI, NIST or ISO that most closely aligns with their goals.  Once a framework is selected a gap analysis should be performed.  Then the company can proceed with implementing controls to address the unique weaknesses and vulnerabilities that face it.

What is the importance of written security policy?

Written policy is essential to a successful cybersecurity program.  Without it, employees can misbehave and get away with it.  Response and recovery times in the event of a cyber incident will be drastically longer.  The mindset of leadership will not be set in stone.  Policy guides employee behavior, establishes leadership’s attitude toward cybersecurity and addresses how data is to be stored, processed and protected.

What are some common mistakes made by business owners when implementing cybersecurity measures?

The largest root-cause for poor cybersecurity in an organization is a lack of upfront leadership buy-in and identified roles for cybersecurity.  Without top-down buy-in, cybersecurity simply cannot be effective.  Another erroneous mindset is that “I’m in the cloud, so I have nothing to secure”.  This couldn’t be farther from the truth!  While most cloud applications and environments come with security options, it’s every individual organization’s responsibility to actually configure these options.  Additionally, it’s quite easy for hackers to take over online accounts with phishing and brute force attempts.  So, every online workflow should be protected by multi-factor authentication.

What is one free, but impactful change companies can make today to skyrocket their security posture?

Eighty percent of Internet traffic is secure (HTTPS) which means your company’s firewall cannot inspect it (since it’s encrypted).  This means that 80% of the traffic coming through your firewall into your organization is not getting inspected for malware!  It’s simply dubious security to have a firewall and not have it configured to decrypt, inspect and re-encrypt HTTPS web traffic.  All business-grade firewalls have an option labeled something like SSL Decryption or SSL Inspection.  Work with your IT person or provider to get this turned on so you’re able to inspect the malware that is coming in under your nose.

What’s the most important part of an incident response plan?

The most important part of an incident response plan is not the plan itself, but the actual regular testing, tweaking and discussion of the plan.  How can a plan be useful if nobody knows where it is and their role and responsibilities within the plan?  Incident response planning should be an ongoing, yearly exercise with actual testing of the plan performed at least once a year.  Additionally, incident response isn’t just an IT issue.  It’s a business issue that affects all departments, and in many cases third-parties such as legal counsel, PR, and third-party hardware and software vendors.

A big thanks to Jeff and the team at Cyberstone for helping us put this post together.

For more information about how Cyberstone can help your organization navigate the elaborate labyrinth of cybersecurity please contact Heartland, or your Heartland Sales Rep directly.