Cybersecurity continues to be a hot topic, and it’s a big one. The threat that a breach in your organization’s data security poses is real, and that threat is increasing even more with the introduction of AI. The potential loss can be significant (data, intellectual property, financial assets), and the investment to secure your business can be substantial.
For government contractors and regulated businesses, compliance with a specific cybersecurity framework like PCI, NIST, CMMC, HIPAA, or SOC-2 is required. If you look closely, you’ll find that most cybersecurity horror stories start with some basic weakness that every one of these cybersecurity compliance standards addresses. Achieving a strong compliance score against any one of these industry standards means your organization is well-protected.
Here are some foundational questions to help you perform a self-assessment of your organization’s cybersecurity strength.
- Let’s start with your devices. Are your devices protected by a screen lock or password? If one of your devices was stolen, are you sure no one could read the data on it, even if they can take the device apart?
- Passwords and logging in are next. Whenever and wherever you log in, are you using login credentials unique to you instead of a shared login that others also use? When you log in, do you also have to type in a code sent via text message or shown in an authentication app (referred to as Multi-Factor Authentication)?
- How about software and apps? Do you have an inventory of every piece of software your team uses to access, process, and store important data, including cloud apps like Dropbox, Zoom, or Google?
- Watch out for the weakest link. Consider all the software solutions used by your teams, including SaaS or cloud services. Do they all have the same security protection, including no shared logins, strong passwords unique to that platform, and an additional layer of authentication with MFA?
- Keep secrets secret, but not for too long. Most of us are concerned about who can see our files and data. But do you know how long that file should be kept based on your business needs, and what the legal or compliance ramifications are whether you keep data for too long or not long enough? When you delete a file or data, can you ensure it’s gone for good and not recoverable, even if it’s on a thumb drive, tape, or other removable device?
- Security is everyone’s job. Most new hires have a mountain of paperwork to complete, and that usually includes something about the acceptable use of technology within your organization. Do you offer training to drive those points home, especially on how to use technology safely? And are you reminding your employees of those lessons with ongoing training?
- Don’t forget about the cloud. When employees permanently leave your organization, you probably turn off access to their accounts and devices as soon as possible. But does that include all your systems and software, even the ones in the cloud like Dropbox or Zoom?
- Hope for the best, and plan for the worst. We all know you need to back up your data. But have you recently tried to recover something important, just as a test?
- It’s a team effort. If you have partners and vendors (and we all do), do you have anything in place (in writing) that ensures they’re conforming to your security measures, just as you are?
- Let’s talk process, planning, and ownership. Do you have a person or team in place tasked with ownership of your organization’s cybersecurity program? Is this individual or team developing your set of policies and procedures, starting with executing on the basic measures addressed in this self-assessment, like implementing Multi-Factor Authentication and socializing the best password practices among your employees? Is your internal “cyber task force” routinely updating your cybersecurity policies and procedures as technology evolves and new threats emerge?
If you answered “yes” to all or most of these questions, congratulations. You have solid cybersecurity practices in place to reduce the risk of data breaches, and the damage they can inflict.
For any questions you answered “no” to, this is an area that needs attention. In the context of the industry compliance frameworks mentioned earlier, not having a particular protection in place leads to a lower score because a data breach can happen in many ways. The more protections you put in place, the fewer ways bad actors have of infiltrating your data systems.
A solid cybersecurity plan and ongoing process is a “must have” and a “must do” for every organization.
Our team of cybersecurity experts are here to help, whether it’s time for a cybersecurity assessment, technical implementation of cybersecurity solutions, a cybersecurity program design, or team training. We work with organizations of every type, including those that need to stringently adhere to complex security frameworks like PCI, NIST, CMMC, HIPAA, or SOC-2.
