In 2017 we saw some very serious cyber-attacks taking place, some of them with shocking consequences. There were several significant ransomware attacks, most prominent of which were WannaCry and NotPetya. But most importantly, we witnessed the Equifax scandal, which has irreversibly damaged our trust in huge corporations’ cybersecurity programs. The Equifax breach has ended the illusion that the biggest of companies, ones that store the critical sensitive data of millions of people, have impenetrable networks which keep our data safe at all times.
This event was perceived as a wake-up call that business would hopefully answer. This includes small and medium businesses as well. The danger is real for every firm that handles online transactions, stores any kind of customer data or simply runs a blog. Every company and every individual should constantly have their online security in mind.In order to stay #safe in the #cyber realm, here are a few key questions you have to ask yourself, your CISO or your risk management agency. Click To Tweet
Are we performing reliable tests on our network?
Ideally, cybersecurity problems should be handled long before they have a chance to occur. Having a sound strategy for preventing the issues is at least as important as having a standard set of procedures to follow after they’ve happened. And a big part of prevention is performing proper penetration tests.
A penetration test reproduces a real cyber-attack and tests the general state and capabilities of your security systems. This is a safe and reliable way to check which sorts of attacks it’s especially prone to. It’s crucial to know your network’s weakest spots and to be sure that your cybersecurity software and information security team can deal with all kinds of threats. You don’t want to realize you’re completely unprepared when a real attack takes place. Thus you should test your network thoroughly and update your cyber security plan according to the results.
Have we done everything we can to minimize internal threats?
Shockingly enough, 60 percent of all cyber-attacks happen as a consequence of wrongdoing inside a company. To minimize the threat coming from your employees, you need to be covered for both inadvertent oversights and intentional actions taken against your business.
When it comes to the former, there are a lot of ways to reduce the risk of unintentional mistakes made by your workers. Above all, they include proper training and education, as you have to expect that most of your employees won’t be particularly IT-minded. Monitoring their computer activities is also a reasonable idea, as it’s crucial to make sure they use the network safely and wisely.
Furthermore, having a strong password policy and enforcing it strictly is more important than you might think. Namely, more than 80 percent of all data breaches happen because of hacked passwords. Employing multi-factor authentication can be very helpful in this respect as well. Finally, you have to limit the admin access to only the most proficient and trustable persons around.
As for those who intend to cause troubles to your network on purpose, defending against them is a bit trickier. You need to run thorough checks on all new employees, especially those who are supposed to have access to sensitive info. Also, reliable monitoring software can help you supervise their actions and make sure nothing suspicious is happening when you’re not around.
Are the procedures we follow compliant with the safety standards?
One of the ways to determine that your system is safe enough is to confirm its compliance with the most comprehensive sets of cybersecurity standards conceived by professionals in the field and governing bodies. For instance, when it comes to the security of customer data, satisfying PCI DSS standards is vital. PCI DSS represents a set of procedures regarding the storage and encryption of your customers’ data and following these rules can make your network a much safer place.
For standards and protocols concerning more general cyber security issues, you can look into the Cybersecurity Framework (CSF). CSF is non-obligatory but can serve as a great signpost for businesses of any kind and size due to its flexibility and exhaustiveness. It offers useful cybersecurity guidelines as well as a lot of advice on how to implement the particular protocols in question.
Do we have a carefully designed recovery procedure?
Unfortunately, all the prevention work you’ve done may not be enough. There’s always a danger that your system will fail no matter what. In this sense, regularly updating your backups is essential. With cloud technology getting more advanced and affordable, this shouldn’t pose a problem.
Nevertheless, if you feel like you need a more detailed strategy on how to store, process and restore the data, it can get more complicated, and you might want to look for a disaster recovery vendor to help you with this job. You need your system and your business up and running quickly, as losing time here inevitably means losing money.
Do we have proper insurance?
Sometimes, things will get even more inconvenient. Your recovery plan may not work quickly enough, and this can cause some significant financial damage to your company. Have in mind that an average data breach costs U.S. companies almost $8 million, with the global average standing at around 3.86 million. Obviously, small businesses won’t lose as much if their data gets compromised, but since every single stolen sensitive record costs as much as $148, you do the math as to how much it can hurt your company. Thus having proper insurance to cover at least a part of these expenses is of huge importance.
There will be cases when all your prevention and recovery efforts fail and you have to be prepared for that sort of situation long before it happens.
In any event, more and more companies will become highly dependent on their computer networks. Even today, it’s getting quite difficult to think of branches and industries where cybersecurity shouldn’t be treated as one of the top priorities. More people, companies, and devices are getting plugged into the network, and hence the risks are becoming more serious and diverse. If you fail to lay out and enforce a thorough and comprehensive cybersecurity policy, your business can be severely harmed when you least expect it.