Health & Wellness

Five Tips to Manage Your Cyber Risks

computerfrom – azcentral.com – by Mark Pribish

Even with all the government, retail and health-care breaches of personal information in the news seemingly every week, we still need to hear and be reminded of the critical basics of managing cyber – and ID-theft risks.

Every business and industry likely has varied ID-theft and cybersecurity needs. Regardless of the information you collect, transfer and receive, here are my five critical basics I recommend every business should be doing:

  1. Create an information-security and governance policy.
  2. Put your information security and governance policy into a written plan.
  3. Update plan annually and on an as-needed basis when major threats are revealed.
  4. Test your policy annually, including penetration testing and a simulated data-breach event.
  5. Annual employee education should be the No. 1 priority. Individuals, not hackers, are the cause of most data breaches.

Once you complete these five critical tips, you’re not done. For example, if your information security and governance plan is two years old, chances are your business is five to six years behind the cyberthreat cutting edge.

In addition, your plan should include an information-security and governance committee – where department heads and not just “IT” are helping lead the information security policy and planning. If you own a small business, then you should include business partners and/or key employees to support your information-security objectives.

Managing your company’s cyber -risk depends on your staying up to date on current and future threats and trends.

What’s a recent example of the current threat landscape? According to Krebs on Security, “The FBI has warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.” According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

Another trend that I have personally seen with business clients (and consumers) – especially small- to medium-size businesses – is the general complacency of business owners and employees concerning information security.

Whether it’s online risks or risky behavior including phishing e-mails, smartphones, social media, the use of public Wi-Fi hotspots – both businesses and consumers are underestimating how vulnerable they are to today’s cyberthreat environment.

Do not follow in the footsteps of high-profile giant organizations that have been data-breached. A breach in your business – especially if it’s a small business – can be put you completely out of business.

Mark’s Most Important: Follow my five critical basics of ID theft and data breach threat and protections: Have a policy, plan, update, educate, test and be vigilant.


If You Enjoy Articles Like This - Subscribe to the AMAC Daily Newsletter
and Download the AMAC News App

Sign Up Today Download

If You Enjoy Articles Like This - Subscribe to the AMAC Daily Newsletter!


Subscribe
Notify of
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
PaulE
7 years ago

All five cyber security points mentioned are already part of virtually every major company’s annual information technology strategy and operational preparedness plans. Ask any CIO (Chief Information Officer) for their annual security and disaster recovery plans and you’ll find every single item addressed and then some. The problem is unfortunately with so many companies now outsourcing virtually all their IT operations to third-party cloud service providers, these companies lose all hands-on control over the ability to ensure their plans are being carried out in full by the third-party cloud providers. The companies are completely reliant on monthly reports from the third-party cloud service providers that everything is being carried out.

Sure there are voluminous service level contracts between all the companies and their respective cloud service providers, as to the operational integrity and security that is supposed to be provided. But in reality, there is no way for any of the individual companies to truly ensure every single contractual point is being carried out on a day to day basis. In many instances today, the CIO of a company has been basically reduced to just being the technical liaison between the company he works for and the third-party cloud service provider. So it’s not like he can walk into his company’s data center and personally verify his company’s own IT staff are doing all the testing and prevention in his documents on a daily basis. A large percentage of major companies no longer have their own in-house technical staffs that existed when all the computer servers and communications gear resided in-house at each company. When companies outsourced their IT operations, their IT staffs were either offered positions at the third-party service provider companies or they were simply laid off.

As for most small companies, their IT staff today, if you even want to call it that, usually consists of a lone individual who has to juggle other duties in addition to making sure the few in-house computers are working. He or she is essentially fulfilling the same role of the CIO minus all the preparation of various tech plans and long-term business strategies.

I would agree with the author that most small businesses do not place a high priority on security of their data. If you were to ask the typical small business owner to list his top five technology concerns related to his or her business, I can guarantee you that formulating a plan to harden their business data against cyber attack wouldn’t make the list. Today a lot of small businesses also rely on the same third-party cloud service providers to manage the company’s servers and data.

In many cases when a cyber attack is carried out against a company these days, you’ll find that the actual servers breached were located not in the company’s data centers, which no longer exist anymore, but rather in one of the third-party cloud service provider locations. So if a cyber hacker can successfully penetrate one of these locations, they not only get access to one company’s data, but potentially to multiple company’s data depending on how well the various servers are network isolated and firewalled from each other and the outside world.

1
0
Would love your thoughts, please comment.x
()
x