Businesses are quickly learning that the vitality of their businesses assets are directly tied to their technology. Most businesses have the base understanding that technology must be maintained and upgraded to achieve the desired margins and profits. Businesses are now learning that an equal amount of attention needs to be allocated towards Cyber Security. Businesses, large and small, are realizing their vulnerabilities in this arena and, unfortunately, there is no official “911” if they are compromised.
There are specific products and services that will protect your company and they are a vital component to your Cyber Security strategy. But how well-documented is your Cyber Security strategy as a whole? If your Cyber Security strategy has not been documented and the appropriate measures enacted, then your primary goal is clear. Below, you’ll find a basic outline that every business should have processes either in development or in production:
1. Business Process Mapping
While most business processes are assigned to a certain individual or group of individuals, the documentation and versioning could be lacking. The importance of defining, mapping, and documenting processes will provide your business with a base level of congruence within your business units and assigned leadership. This involves diagramming how work gets done, who is doing it and when works gets done.
For example, at some point during you quote-to-cash process, does a third party get involved? Well, they may be a weak link in your security. Taking the time to map out the processes to see if you can find any areas that may be unsecured.
2. Data Protection & Retention
It’s nearly the end of the decade and businesses understand the need to protect their data. There are two primary challenges/questions still left on the table: 1. Are you using best practices in your data backup strategy? 2. How often does your organization confirm a good backup and test a restore of your data? Have a plan in place and detail what company data is to be stored. Does your data need to be encrypted at rest? If you have long-term retention rules, look for cloud storage.
3. Business Continuity
How much does “downtime” affect your business? Use the following formula with caution:
The continued delivery of your businesses products and/or services must be maintained at acceptable predefined level following a disruptive incident. A disruptive incident can range from a power outage to a cyber attack to a natural disaster. Remember, disaster recovery and alternative service plans are part of an overall business continuity plan. An example of this would be setting up a network to be securely available from an employee’s home through VPN access in the event the office was not available.
4. Training & Development
While most will roll their eyes in agreement and state an inner “obviously,” but a true training & development process is beyond necessary. True training & development of your staff in the ways of cyber security is more than sending an email reminder stating that your staff should not open suspicious emails. A complete strategy, training and ongoing development should be documented and delivered to instruct employees on what to look for as a target of a cyber-attack and the appropriate actions following an actual attack.
5. Information Classification Policy
This policy is a set of standards to control information assets from unauthorized access and compromise or disclosure. Remember that your data is a large piece of your assets. Know where your data is. This policy is designed to standardize where your data is stored, who has administrative control and who within your organization can access your data. Setting this policy starts with data classification following the context of information security and is based on the level of sensitivity of that data and the impact to your organization should that data be disclosed, altered or destroyed without authorization. A DLP (Data Loss Prevention) solution can help you.
6. Incident Response Process
If a breach happens, what do you do? This process is an organized approach to address and manage the aftermath of a security breach. Providing a formal, coordinated response to security incidents affecting your information assets is an important piece to your overall business technology security strategy. As well, developing this process is closely connected to #4 in our list – Training & Development. Your management and staff will be trained to understand the “do’s and don’ts of responding to a Cyber Security incident. Pulling the proper solutions and training together as well as implementing and testing the plan takes a solid IT service provider with experience in Cyber Security.
7. HR Processes
Make sure HR and IT are closely aligned. Often employees are let go, and no one informs IT or your IT department doesn’t take the steps needed to secure your business. This is a security risk if said employee can still gain access to your sensitive company and customer data. Develop employee onboarding and offboarding policies. When an employee leaves, the policies should be reviewed to make sure all accounts are locked down per company standards.
8. Change Management Processes
Change management has come a long way from a foundational understanding to a recognized discipline. Writing out planned changes to the processes, structure or job roles for your organization can help you “think twice” about improvements and the overall impact of changes. This designed sequence of activities by leaders and project managers to apply internal changes should always align with IT security policies and peer & seniority checks.