Yahoo was hacked into and information from at least 500 million accounts were taken, endless phishing schemes from what look to be credible sources such as Microsoft, Apple and Adobe, to elaborate social engineering schemes that have resulted in one company losing $6 million and was forced to shut down, all of this is enough to keep any business owner awake at night. Cybersecurity is all we hear about in today’s world. But, for many businesses, they understand the need to have a cybersecurity plan but they don’t know how to achieve it. Even for the most technical companies this can be a challenge.
So where do you start? Like any other emergency procedure, you must start with a plan. Whether your company is big or small, this can be overwhelming. We tend to think of a multitude of “what if” scenarios and viewing the overall idea of the plan instead of breaking it up into smaller, workable, bite-size pieces. I know this because that is how our cybersecurity team started off. We soon realized that we needed to break it down into manageable steps. We used the CSRIC IV (Communications Security, Reliability and Interoperability Council) 9.9 Small and Medium Business Cybersecurity Risk Management and Best Practices as a guide to get us started. The guide explained how to break your plan up into steps: Identification, Protection, Detection/Response and Recovery.
We began the process by first taking an inventory of all of our systems, equipment, devices, software and networks that had the potential to be compromised. We then prioritized these assets into risk levels and began to focus on high-priority risks and how to protect them. The next step in the process is the “Detection/Response”; what do we do if one of our assets is compromised and how will we respond. The final step being, Recovery. Once we had completed all of these steps, we then developed two plans. One is a comprehensive plan that is only shared with key employees and a second is a general company-wide plan that we added to our Emergency Response Plan. This plan is divided into the following sections: Employee Responsibility, which discusses passwords, emailing, texting, social networking and flash drives; Types of Breaches, which defines physical breaches, network and system security breaches and data breaches; and Reporting Structure, which instructs the employee on what to do if they suspect a breach.
But we are not finished yet. The reality is your biggest threat to your system is your employees. The majority of the time when a system has been compromised, it is because one of your employees have taken the bait in a phishing scheme or has fallen victim to a social engineering scheme. So, in order to have an effective plan you must train your employees. I would suggest an awareness training for all employees, then have continual refresher trainings throughout the year. These can be just quick reminders like this clip that a group of our employees put together. We also use a system that sends out bogus phishing and social engineering schemes to our employees to see who will bite. We then provide additional cybersecurity training to those individuals.
The fact is cybersecurity is evolving every day and we have to stay vigilant. It is not an option to stick your head in the sand and hope that this goes away, you must act. Remember, “A journey of a thousand miles begins with a single step” - Lao Tzu.