Cyber-Security for Small Business Owners (Part 3)
In the last of our three-part series on cyber-security, we're going to talk about how you can create a culture of security to prepare your employees to avoid the single biggest threat: human error.
Cyber-security is not just an IT problem.
Just like our projects are partnerships between Ping! Development and our clients, cyber-security is a partnership between us, our service providers and vendors, our clients, and their customers. It affects the company, the customer, and the vendors. Companies must be good custodians of data and protect their customers. Their vendors should also be good custodians of their customers’ information, as well as the information they access by working with their customers or clients. Cyber-security affects everyone and it’s important to work together and ensure information security.
Educate Your Workforce.
The single biggest threat to cyber-security is human error. Ransomware is a result of someone clicking something they shouldn’t. Education of your employees is an important step in preventing ransomware attacks (and the best defense after-the-fact is a really good data backup strategy). If you don’t have the experience at your company, hire an expert and hold training seminars for your employees on the topic of cyber-security.
Train all employees to identify potential phishing scams. If you have an in-house development team, there are other considerations, including secure coding principles and cyber-security training. Since the Target hack, more developers are practicing better security, but there are still a large number that don’t consider it and the landscape is constantly evolving. You should invest in on-going training and to keep their skills up-to-date.
Executive training is just as important as training operational, administrative, technical, and/or support staff - after all, executives are also inundated by emails and subject to the same human error. Training at all levels allows management to reinforce a culture of security and good custodianship.
Leverage your service providers and ensure they are being proactive.
I’ll say that again: the single biggest threat to cyber-security is human error. The Target hack was accomplished through a vulnerability in an HVAC contractor’s account. Include clauses in your service provider agreements regarding security expectations. This is already required under HIPAA-compliant Business Associate Agreements and it’s simply prudent to include it in agreements for other industries regardless of regulation and it signals the understanding that security is everyone’s responsibility. Which leads me to the next section...
Don’t wait until after an incident to make a plan.
After your Web site has been defaced or infected with a virus or malicious software (malware) is not the time you want to be putting your response plan together. If you don’t already have a plan on how to respond to a Web site hack or infection, you’ll be scrambling, only increasing the length of time it takes to resolve the problem. You need to know who to contact so the problem can be fixed and how to keep your problem from affecting your customers - remember, this is not just an IT problem. Having a plan in place will help you reduce the amount of time to resolve and be methodical in your response.
Cyber-security is more than just a buzzword, it’s an important part of doing business, whether you work for a global enterprise or at a corner store. Take a look at these guidelines and if there’s any doubt or questions about implementing a step, contact us. We can help add layers of security, design a response plan, or train your development team on securing your Web applications.