October is Cyber Security Awareness Month. In a year of breaches, each one seeming bigger than the last, maybe every month should be Cyber Security Awareness Month. Given the explosion of devices that connect to the Internet of Things, and a pervasive culture of BYOD (Bring your Own Device), we have an ongoing problem with Shadow IT and Shadow Data. Things get plugged in that shouldn’t; data gets handled and exposed that shouldn’t. Despite a plethora of technology and options, there is no one simple solution for keeping our systems and online information secure.
The fact is, security is a process and an ongoing commitment. It only works when everyone understands the need and buys in. I was invited by the fine folks at Tripwire to contribute some suggestions to their piece “3 Tip on How to Create a Cyber Security Culture at Work “. Here are some of my recommendation to lay in place the keystones to your Fortress Security, and build around them:
1)Passwords: these really are the keys to your kingdom. Have a good password policy in place; teach staff how and why to use it; and do routine checks to make sure.
2)Patches: it is crucial to businesses of every size to have a patch update program in place, to ensure that all software and systems are updated regularly, and be ready to implement emergency fixes as those come out.
3)Get a baseline in place: While you cannot expect to catch everything, if you know what your norm is, then you have an advantage when something deviates, and you can respond decisively. That’s security in action.
4)Limit and enforce access: Not everyone needs access to everything, all the time. The fact is, the more exposure your data has, the more at risk it is. You can, and you must, put rules in place that allow most users access to only what they need. It’s good to request permission, because that enforces a necessary system of checks and balances that underpin good security.
5)Inventory and monitor: Know what you have, tag it, track it, update what gets added or removed to the system. This will help ensure you know what your baseline is for monitoring purposes. And, this is a critical component to controlling the BYOD culture that is rife with risk.
But wait – there’s more! With a solid foundation in place, you also need to have these:
Insurance: Be warned: your current insurance policy probably does not cover cyber liability. Time to consider if your policy lines up with the services you offer. For example, in Canada you need to have Errors and Omissions in place. No, it isn’t cheap, but it is compared to the cost of a data breach. And, your coverage needs to be in place at the time of the incident. According to a recent survey by KPMG, “74 percent of businesses do not have any sort of cyber security liability insurance. Of those that did, only 48 percent believed their coverage would cover the actual cost of a breach.” It’s an evolving field with a lot of growth in a short time. According to Canadian Underwriter Daily, $445 billion and $20 billion in growth. Chris Case, a specialist in Cyber liability insurance with Dan Lawrie Insurance Brokers, describes the current status:
“It’s a growing space, but it’s a tricky space. It’s a moving target. So far, we’ve been lucky, not good.”
Disaster Recovery Plan and Business Continuity: I’ve said it before and I’ll say it again. You’ve got to have a plan. Bad stuff happens to good businesses. Invest the time and effort now to put together a plan so that when Mother Nature intervenes with torrential rains, your reputation and clients’ expectations don’t get washed away. The same holds true of ransomware or data breaches. If you can’t access
Thanks for reading and hope we helped!
Cheryl Biswas, Editor