When cyberattacks and data breaches make the news, it’s usually because they’re at large companies like Facebook or healthcare organizations. But every organization, large or small, needs to be concerned about cybersecurity; hackers have begun to understand that, while smaller companies may have less data on hand, they may have access to covetable third parties. And, they’re less likely to have strong security measures in place – an unlocked back door for anyone who wants to try it.
If your organization doesn’t already have a cybersecurity program – the full set of your company’s security policies, procedures, and standards – it’s essential to put one together. And if you do, it’s important to review, re-evaluate, and revise regularly to ensure your cybersecurity program is built to protect your business operations and response effectively, when needed.
A 2019 IBM-sponsored study found that while 77 percent of organizations do not have a cybersecurity incident plan, of those that do have a plan in place, 54 percent do not test their plans often. Data breaches are becoming likely events, rather than worst-case scenarios. So, while putting a plan together is a step in the right direction, keeping that plan updated can be the piece that prepares you for a possible data breach. Here’s how:
One: Review Your Current Cybersecurity Policy
If you’re one of the less than 25 percent of organizations that have a cybersecurity policy in place, congratulations! But don’t celebrate just yet – now’s the time to check that it’s still built for your organization’s specific needs.
Take out your policy and ensure it’s current – this initial evaluation isn’t meant to be a heavy lift, but a check on what – if anything – needs an update:
- Are the point people for each piece still the right people to own the process?
- Does it cover the technologies and tools you’re currently using?
- Have you added or updated any tools in your arsenal? Are they still effective?
- Is your employee education plan still working?
- Has access for employees, trading partners, or clients changed? Have you considered the risk of the extended enterprise and third parties?
- Does it speak to compliance with your industry’s regulations?
- Is the data you need to protect being stored and transferred securely?
- Is your method for enforcing guidelines working as expected?
Once you have reviewed your program and determined whether any aspect of your security plan has changed, you can start updating your company’s policy. Don’t struggle with this part, and don’t let perfect be the enemy of good. Maximize your return on investment and start pragmatically. And, if the policy as a whole needs to be started from scratch, we’ve compiled a few resources that provide templates and examples of cybersecurity policies below.
- General, Network, Server and Application Security Policy Templates (SANS.org)
- Data Breach Response: A Guide for Businesses (Federal Trade Commission)
- Cybersecurity Framework (NIST)
Two: Follow the Right Guidelines
As new regulations protecting consumer privacy are rolled out, and changes are made to existing requirements (like PCI, HIPAA, and FISMA), ensure your cybersecurity policy takes new requirements into account. Are you able to protect user data as required by different countries and states? Does your policy address the latest updates in your industry’s requirements?
There are also tools available to help organizations manage risks to critical infrastructure more consistently, like NIST’s Cybersecurity Framework. Using the steps suggested by guides like these can help your company develop and maintain a cybersecurity policy.
Three: Ensure Your Policy and Program are Easy to Update
Almost no one – no matter their industry or role – likes policies. But, like caution signs, there’s typically a rationale behind each one. A key reason you need a policy in the first place is that modern cybersecurity has become very complex, and legible documentation is a fundamental requirement for an effective security program. But however complex your system is, your cybersecurity policy should easy to keep up to date with any changes. There are a lot of details to keep track of, even for a small organization, and the landscape is constantly changing as both cybersecurity technology and cyber criminals become more advanced. Still, a cybersecurity policy is no use if it’s out of date because it’s too involved to easily maintain.
Your cybersecurity program needs to be updated regularly to include changes in your business, in technology, and in compliance regulations. Establish a timeline for re-evaluating the policy and program overall and determine how you will self-audit along the way. How will you know if the latest updates to your security software have been installed or that no one changed the server settings a month ago? Ideally, maintaining compliance with your program will not be a fully manual process.
Four: Educate Your Employees
Did you know that internal actors are responsible for nearly half of all data loss? Some of this is intentional – disgruntled or opportunistic employees, contractors, or suppliers performing deliberate acts of data theft. But half is simply human error, whether it’s continuously setting low security passwords or finding a shortcut for a process – that happens to be unsecure. Most people don’t want to change their password every month if they can stick with “password123” forever. And as phishing becomes more sophisticated, some don’t see the problem clicking a link in that suspicious “urgent” email.
Communicate your new cybersecurity policy to employees, and make sure they understand the relevant details: what they are expected to do, how to do it, and what could happen if they don’t. These are also risks that employees might encounter in their non-work lives, and emphasizing best practices can make them more secure both inside and outside the office. Remember that things that seem obvious to you—like how to change that password—might not be known to everyone in the company.
Some organizations regularly test their employees on their cybersecurity knowledge. Make it fun and rewarding—there should be some kind of incentive for mastering security best practices, alongside the benefit of being more cyber-savvy in their personal lives.
Bonus: Choose Solutions that Complement Your Cybersecurity Policy
Maintaining security and compliance across your entire business and all your employees can be daunting. Fortunately, dealing with all those moving parts doesn’t have to be so complicated. While implementing the right software solutions can give your cybersecurity a boost, having the right processes in place and educated employees means that your security policy practically enforces itself.
Make the process easier on yourself and your employees. For some examples:
- Instead of checking systems manually, use a tool that can monitor them automatically
- Implement software that requires regular password changes updates for employees, rather than relying on them to change them themselves
- Know who has access, and when they accessed data: Software with role-based security and audit logging will ensure that you always know who accessed or changed what, and when they did it.
Sometimes despite your best efforts, your data is breached. Check out these resources to help you create a data breach response plan. And if you’re in need of reliable, powerful tools to help you implement and enforce secure best practices, check out these data security solutions from Fortra: