With a near-constant barrage of highly public data breaches over the past few years, most business are starting to recognize the importance of protecting sensitive information. And, in turn, many businesses are asking their vendors about their cyber-security program.
If you have received a cyber security notice from one of your clients or bank or major supplier and you are unsure of where you stand with regards to cyber-security, here are seven areas you should look address.
1. Implement an Information Security Program
Creating an information security program should be the first step towards showing your clients that you are taking cyber security seriously. An information security program should address not only technical solutions, but also show steps being taken within the culture of the business to address security concerns. South Carolina recently put in place regulations requiring insurance companies to put such programs in place. Implementing these programs now can help prove to clients that cyber security is an active concern, and might help save time and effort if such regulations begin to have a wider scope. Based on your industry and need, following industry frameworks such as NIST CSF, ISO 27001 or PCI-DSS provides a path to developing your program. In addition to these frameworks, you can also review the CIS Controls. The Center for Internet Security is a non-profit dedicated to cyber security prevention, and published a list of 20 Controls — the top 6 are recommended for any organization — that all firms should implement.
2. Risk Assessment
Another way to show clients a company’s cyber-wellness is to conduct cyber risk assessments. Businesses can conduct these assessments internally or with the help of a third-party. The assessments first involve taking inventory of the types of data being stored and identifying vulnerabilities in how that information is handled. It is then a matter of calculating the impact of any potential exploitation of vulnerabilities against the likelihood of such threats. Doing these assessments will allow businesses to easily pinpoint and prioritize what measures need to be taken.
- Assign Accountability
Often, regulations will want one individual assigned to be the lead person on cyber security issues. This may be the IT leader, CFO, Office Manager or CEO. Regardless, that individual needs to ensure that the policies within the firm’s cyber security program are carried out. However, it is important to note that cyber security isn’t just the responsibility of one person. Everyone needs to understand their role, but leadership in particular needs to understand the security posture of their organization and ensure that steps are taken to address and improve it as required.
- Penetration Testing and Vulnerability Scanning
Having put in place an information security program and implemented security standards, it is essential to routinely test your systems for weakness. Penetration testing and vulnerability scans are two ways of measuring the effectiveness of your security systems. Penetration tests simulate attacks for outside actors, showing what process and settings can be exploited. Similarly, vulnerability tests will scan your system and give a comprehensive assessment of known vulnerabilities. These tests can be done in-house and should be conducted quarterly. Penetration testing can be done less frequently — once or twice a year — but should generally be conducted by a third-party. Doing so will help highlight weakness that aren’t picked up in the vulnerability scans.
- Cyber Awareness Training
Finally, it is essential to perform cyber awareness training across all areas of the organization. Often, all it takes for a breach is a low-level employee to falling for a phishing scam, or inadvertently sharing sensitive information. According to the CIS, it is therefore essential to “identify the specific knowledge, skills, and abilities needed to protect the enterprise and develop and execute security training for all roles in the organization.” Not every employee will need to be versed in, say, end-to-end encryption, but it is essential that all roles in the organization are alert and understand what risks are associated with their specific role.
- Cyber Insurance
Whether Cyber Insurance is a requirement noted by your clients or other stakeholders, it is something to look into. Often traditional insurance policies will not provide adequate protections for a cyber event. But caution is advised; there is a lot of variation between cyber policies with regards to what is covered and excluded. Make sure you work with an experienced insurance broker before you make a decision.
7. Be Prepared for an On-Site Review
Some clients or stakeholders may want to do more than ask you questions electronically or over the phone. They may wish to visit your site and assess whether you actually are following the cyber-security policies you have on paper or have un-addressed vulnerabilities which may put your client at risk. If a visit is required, make sure you have the right team to meet with your client’s representatives and that you give them the time and opportunity to review your processes as appropriate. Most of the time, they will be sensitive to your interests and availability. Also, they can be good resources to learn how other organizations address their cybersecurity issues.