(Editor’s note: This is part 2 of a two-part column on improving cybersecurity for your business. See part 1 here.)
With the types and number of cybercrimes growing by the day, businesses need to take precautions or risk serious consequences. Continued from part 1 last week, here’s more about the threats and preventive measures you can take.
Ransomware: The WannaCry event in 2017 and most recently a cyberattack on the city of Baltimore involved ransomware, a type of malware that makes the data on your device or network unavailable until you pay a ransom. This is very profitable for hackers, of course, and is becoming more popular. All it takes is one member of your team clicking on a link in an email, and all of your data could be locked. Ransomware can also target any device that is connected to the internet, including smart appliances.
Cloud-computing providers: A cyber thief doesn’t have to hack into a company to get its data; all they need to do is target the company’s cloud provider. In most contracts with cloud-computing companies, business customers are not well-protected in cases of cybercrimes.
We are long past assigning the safeguarding of this critical data solely to the information technology department. Company leadership has a key role to play. Set the “tone at the top” in these areas:
Education: Governance, responsibility and accountability begin with education. Companies need to understand where they are and where they need to go. Establishing an IT risk and security steering committee is key. This should include the company’s IT professionals, business leadership and critical data stakeholders. Periodic meetings regarding critical data protection should be the main focus of this group.
Action plans and risk roadmaps: Companies should develop actionable priorities and a risk-remediation roadmap from a third-party assessment against a recognized, security-controls framework. Companies should evaluate and establish a baseline regarding where they are relative to an industry-recognized security-controls framework. This baseline helps establish priorities that may take several years to implement. The good news is that the highest risks are being mitigated early, and this sets the stage for continuous security advancement.
Culture change: Companies need to change their security mindset and culture. Security is everyone’s responsibility. Enhance training and awareness, and use data-driven actions to improve the overall culture. Awareness is first, training is second, but an enduring security culture and improved behavioral change is the goal.
Training: Improve the skill sets and talents, internally and externally, associated with strategic digitization and security plans. This includes employees, clients, leadership, the board and partners. Continually assess and improve the positions that touch, protect and secure critical data and processes of the company. The pace of technological change is progressing rapidly, and the company and investors should ensure that the right people, processes and technology are in place.
While the topic and associated efforts may be overwhelming at times, companies need a step-by-step approach to mitigate business risks. Cybersecurity comes down to understanding those risks and creating a plan to mitigate them.
Knowing where the data comes from and where it goes is critical to security. The first step a company should take is to conduct an independent assessment against an industry-accepted security-controls framework. This effort should include a prioritized roadmap and plan to be shared with the board of directors, typically the audit and risk committee.
A data-driven response and action plan, aligned and supported by business leaders, will go a long way to protecting a company’s and its clients’ data and livelihood.
Unauthorized access to your data can lead to devastating consequences. Fortunately, there are many steps you can take internally and with the help of outside cybersecurity professionals to protect your business.
Ray Gandy is the leader of IT risk and assurance practice at CBIZ & MHM New England, with offices in Providence and Boston.