Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
When it comes to cybersecurity, businesses are like Florida residents during hurricane season. Think about it. Cyberattacks aren’t that unlike hurricanes.
October is Cybersecurity Awareness Month, and it’s also peak hurricane season. They both happen every year, even if they don’t happen to you directly. Regardless of whether an incident is directly on the horizon, homeowners still prepare for every hurricane season, and businesses always need to have a cybersecurity plan in place. In other words, they’re both a “hope for the best, plan for the worst” kind of situation.
For both hurricanes and cyberattacks, the more prepared you are for chaos, the more you can minimize the fallout and prevent damage.
Focus on planning and prevention.
In hurricanes and cyberattacks, “an ounce of prevention is worth a pound of cure.”
It may take a significant effort to create a proactive protection plan, but it costs 1,000 times more time and money to rebuild after a serious incident. (And if the worst happens, many won’t be able to rebuild at all.)
In Florida, many homes have additional structural features that make them more resistant to hurricane damage in the first place. For businesses, this structural reinforcement is an approach to data security called defense in depth, or DiD. The concept behind DiD is that strong cybersecurity requires multiple defense measures at all times. Just like a home needs storm windows, hurricane shutters, concrete walls and sturdy roofing materials to withstand a storm, businesses need more than one protective element to build a resilient cybersecurity ecosystem.
This should include (but not be limited to):
• Antivirus software.
• VPN solutions for remote work.
• Secure gateway.
• Firewalls.
• Patch management.
• Backup and recovery.
• Two-factor authentication (2FA) or multifactor authentication (MFA).
• Intrusion detection and prevention systems.
• Endpoint detection and response (EDR).
• Encryption solutions.
• Data loss prevention measures.
All of these actions make it more difficult for cyberattacks to succeed in the first place. These tools work together so that, like savvy Florida homeowners, you’ve created a more stable structure for your business to weather the digital ecosystem.
Batten down the hatches.
During hurricane season, the last thing you need is patio furniture left in the backyard to fly through your neighbor’s window. The same can be said of consumer data. A cyberattack on your company can have devastating effects on your business, but if you don’t protect your consumers, cyberattacks will ricochet and put them at risk, too.
In addition to practicing defense in depth, make sure your business has a robust data privacy policy that protects sensitive data for your business, employees and consumers. Like DiD, you must establish multifaceted privacy practices (e.g., practicing data minimization, clear use cases for data collection, etc.). In the event of a data breach, this further protects your employees and consumers.
Minimize human error with education and training.
If you move from Colorado to Florida, you might not know how to prepare for hurricane season. You have to research what risks are most likely and what to do to minimize damage and take action in case of emergency.
For businesses, human error is often the most common avenue for cyber attacks. More than 90% of cyberattacks stem from human error. Even if you keep your technology up to date and your data servers secure, human behavior may not act in your company’s best interest without employee training and education.
Phishing and malware transmitted through email are the most common avenues for cyberattacks to breach your defenses; an estimated 3.4 billion emails are sent daily by cybercriminals.
VPNs and MFA can go a long way toward minimizing exposure risk from employees, but data security teams should also work with leadership teams to create a plan for employee training.
This should include training for new employees and regular training for current employees to ensure that security best practices stay top of mind. Another high-value activity is running your team through a phishing simulation; many software companies offer this opportunity for companies to test their employees’ knowledge. If employees fall for the bait, the software can educate employees right away, and new campaigns can often be run to employees.
Remember: Don’t just focus on the how of data security. Your employees should walk away knowing why these practices are vital to their jobs.
Always have an updated emergency plan in place.
Hurricanes are going to happen, and so are cybersecurity attacks. Even with the best plan in place, an incident is still possible.
In the event of an emergency, the best thing you can do is act fast and have an incident response plan in place. For Florida residents, this includes evacuation plans and robust home insurance.
For companies, your data security incident plans should include:
• Identification: Where is the breach coming from?
• Notification: Who needs to know about the breach, how much do they need to know, and how soon should you report the breach?
• Containment: How to isolate the threat.
• Removal: Eradicate the threat from company devices and networks.
• Recovery: Restore systems and return to full operating capacity.
• Review: Lessons learned and planning for next steps.
And finally, you’ve got to have a plan to practice. If you have a dusty generator in the basement for when the power goes out, it’ll be hard to get it up and running if you’ve never used it before. Your security incident plan is the same—practice it at regular cadences, and whenever any significant update is made to the plan, be sure to review it.
Hurricanes aren’t going anywhere, and neither are cyberattacks. Rather, the digital landscape is changing, and cyberattacks are only becoming more creative and more effective. In this rapidly evolving ecosystem, the best thing you can do for your business is to review and update your cybersecurity policies annually.
Every year, Florida residents prepare for hurricane season. They gather supplies, fortify their windows, bring in outdoor furniture and check their generators. Similarly, your business should review your risk profile regularly and keep an eye on the horizon for any potential storms.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here