Is your organization taking the right steps?
As the Director of Hosting and Technical Services at Info Tech, Inc., a large part of my role revolves around cybersecurity. My job grants me insight into what organizations around the country are doing to protect their data and software systems. In my work, I’ve noticed a consistent theme: cybersecurity professionals are often single-minded beings.
From the smallest government agency to the largest corporation, IT teams tend to hone in on the technology aspect of security and neglect two equally important aspects of the cybersecurity package: people and process. It’s part of the reason that companies like Target or Marriott, with all the resources in the world, still struggle to protect their data. By following these common sense cybersecurity strategies, your organization can ensure its doing everything right to protect its data.
Identify Vulnerabilities and Raise Awareness
You can’t fix what you don’t know is broken. Ensure you have a system in place to find where you are vulnerable and ensure that everyone in your organization has a thorough knowledge of those vulnerabilities to prevent missteps. An external auditor can help identify hidden points of weakness.
Make a Plan and Follow It
Seems simple, right? But while many organizations have security systems in place, they lack a thorough protocol to implement. The NIST SP 800-53 list of security and privacy controls is a great template to follow to build your plans. Try not to get overwhelmed by the sheer bulk of the list. Taking it a category at a time and applying those predefined processes to your existing processes is a great place to start. In fact, it’s the template we are incorporating at Info Tech.
Have (Several) Security Awareness Trainings
Of the three elements that compose your cybersecurity strategy - people, process, and technology - people are easily the weakest link. We regularly conduct email phishing tests at our organization, and even the most vigilant of employees occasionally fall victim to a convincing format or subject line. Once your process is established, make regular security trainings available (and hopefully mandatory) to ensure you’re not doing everything right for naught because Joe in Accounting clicked on a bad link.
Implement Two-Factor Authentication Anywhere and Everywhere
Managing your login credentials is an easy place to start, but it goes a long way in protecting internal systems and data. Multi-factor authentication falls entirely under the banner of “common sense,” because it’s something that everyone should be doing - but isn’t. This article is one of many that cover organizational breakdowns in security due to a lack of two-factor identification. It may be a hassle to take an extra few seconds to log in to your system, but it’s probably one of the most affordable and practical measures you can take to protect your company.
Conduct Audits on a Regular Basis
You don’t have to be the expert as long as you’re willing to rely on experts. Inviting an auditor into your organization may not seem attractive, but it’s the best way to get a holistic, unbiased view at potential risks and exposure points. Regular internal audits are another cost-effective measure you can take to ensure people are following the process you have established.
Have a Recovery Plan in Place
Data recovery is just as important - if not more - than data protection. Ensure that part of your process includes a recovery plan with the least amount of downtime and data loss. If you are using a third-party security or cloud-hosting provider, they will often have built-in data recovery measures as part of their service package.
Consider the Cloud
Although this cybersecurity advice applies universally, embracing a cloud-based hosting service adds another layer of protection to your strategy. Constant vigilance, provider accountability, and limited exposure are just some of the benefits of cloud hosting. To read more about cybersecurity in the cloud, check out my previous article on the topic.
If you have questions about how to improve your cybersecurity process, feel free to reach out to me at email@example.com.