Do Your Part, By Cyber Smart: Business
As business owners and c-board members with the responsibility of making decisions that not only affect the company’s revenue, staff income and mental health, but also customers trust. It is of critical importance to understand cyber security, cyber risks and how to mitigate these.
In previous posts I have mentioned the fact of cyber security being a topic for everyone. Moreover, a topic that requires everyone’s involvement in order to be applied in a successful manner. But, how can you as manager, president, decision making person WITHOUT cyber security background; understand how it works and what can you do improve your company’s security posture. Let’s start by highlighting the following:
- Every single part of our lives is somehow data and internet-driven, therefore cyber security is of vital importance so we can reduce the risk of our data being compromised or our services unavailable.
- Cyber security aims to reduce the likelihood of security issues being exploited and therefore the impact and risk these could have.
- Only “publicly” know cyber security issues can be investigated by government entities, punished by law and made famous by the media.
- Data breaches can lead to regulatory fines, repetitional damage and lack of trust from clients and business partners.
As January 2019, there were studies saying that 60% of small companies had closed after 6 months of being compromised, with 43% of cyber attacks targeting small businesses. For more statistics take a look at here and here.
Now, if a security incident or data breach is unknown to the public and even yourself, does the security incident even exists? Unfortunately many companies never get know their data have been compromised, and in more positive cases it takes them over 6 months to identify the incident.
So, if we don’t know when or how would cyber criminals target you or your company, how are you supposed to know how much money and time to invest on cyber security?
While I do not have a number for either of the above questions, I can tell you the best place to start is bringing bringing the right people together to discuss the following:
- What kind of data do we need to collect, process, store and manage in oder to function. What kind of regulations do I need to follow when handling that kind of data? (i.e.: Health, financial, personal data). If you don’t have an answer to this questions, a cyber security and risk assessment could be a good place to start.
- Is your infrastructure secure enough to prevent common and publicly known vulnerabilities? If you have any questions, check-in with your IT department and ensure the following are being discussed:
- A vulnerability management process should be in place so you can identify publicly known vulnerabilities.
- Are vulnerability assessments of internal and internet-facing infrastructure performed at least once a year?
- If you have web and mobile applications to offer services to your clients, have penetration tests being performed against these?
- Are internet-facing assets protected by perimeter security tools?
At the end of the day, the question is not about how much money do you need to invest. Nor, how much money could you loose if an incident occurs and your data is compromised.
As a business person; the security of your company, your staff and clients depends on how much do you understand the risks you could be facing and the requirements to mitigate them.
In a nutshell: Open your mind, ask questions and only once you have understood your requirements; talk about tools and money.
Happy Halloween, eepica