With the ever-increasing rate of digital interconnectedness and accessibility, IT systems are more at risk of attack by hackers and spies than ever before. Yet, many companies still haven’t seriously addressed the issue of cybersecurity in their organizations. If you have concerns about the preparedness of your business, now is the time to start taking steps to protect your data.
The last few years have seen the largest data breaches in computer history. Billions of people have been affected by having their personal and financial information exposed and in many cases, used in criminal activities. The Equifax breach in the fall of 2017 compromised the data of over 143 million Americans. Attacks skyrocketed in the first half of 2018, with 765 million occurring from April to June alone. Many other large breaches have been reported since then. Almost every individual has been affected in one way or another, and businesses have lost hundreds of millions of dollars to cybercrime. It’s become so common that people have become complacent and fatalistic about it, accepting that their information is out there somewhere, or soon will be. Nevertheless, despite such a high risk, in 2017, a major survey revealed that more than 58% of companies failed to effectively measure their vulnerability to cyberattacks. Businesses simply can’t afford to be so indifferent.
Decision-makers and leaders in the top echelons of every organization need to make identifying and addressing their cybersecurity needs a top priority. You can begin by starting a conversation between your IT team and managers and employees at all levels of your company about information security and how best to protect sensitive data, but you need to know the right questions to ask. Here are four questions to ask to get the discussion started and moving in the right direction.
How informed is your team about the vulnerability to and potential impact of cyber attacks on your company?
It’s important to assess the current awareness of everyone in your organization about cyber threats and the potential damage from data breaches. It’s likely that everyone has heard of the many well-publicized breaches that have occurred over the last several years, but possibly haven’t considered them within the context of their own organization. This is the first step to developing an educational initiative to get everyone up to speed on the problem and identifying the at-risk areas in your system. After that, you can begin to develop a chain of communication to take immediate action in case of a breach and set protocols and expectations for response times. A fast and effective response is critical to limiting data exposure.
What are the specific risks to your infrastructure and what are the best steps to take to address them?
Have your IT team prepare a comprehensive risk assessment at all levels of your organization and prioritize the most urgent areas. Remember that the threat isn’t limited to just hackers. Many breaches occur because lower-level employees click on a link in a phishing email, leave a password lying around where it’s easily seen, or by unknowingly becoming a victim of a social engineering scam by giving it to someone over the phone who is impersonating a company employee. Then they can begin to identify the resources needed to protect your data, including third-party security software and updated equipment. Simply informing your employees of the threat of such low-tech risks can greatly increase your cybersecurity. If you don’t already have one, you should assign a dedicated security manager within your IT department.
How many security incidents are detected in your systems in a normal month or week, what type are they, and how we’re others informed about them?
You should have a system in place to detect, monitor, analyze, and record any type of potential security incident no matter how small or seemingly insignificant, and disseminate that information to the appropriate personnel, or perhaps to all employees to raise awareness. You should discuss hiring a managed services provider or buying software to do this, and identify which ones would best serve your needs. You should also consider a cloud-based solution.
Does your company have an incident response plan? How effective is it, and how often do you test it?
The only way you can quickly react to prevent or limit the damage from a breach is to have a clearly defined response plan in place. It should document how every pertinent department in your company should react in the event of an emergency from the top down, including your public relations team and your attorneys. This plan should be available to all employees. It should be tested on a regular basis, at least once each quarter, and updated whenever significant changes are made to your IT infrastructure.
Cyberattacks are just a fact of life these days, and that’s not going to change anytime soon. But by asking your team the right questions, starting a dialogue about how to address the threat, raising awareness and implementing training, and having a response plan in place, although you’ll never completely eliminate them, you can reduce your risks significantly.