Cybersecurity & Compliance: The Focus of 2016 – Part 2
Leverage your IT to Get Ahead of Your Competitors
A properly planned and secure IT infrastructure and cyber security plan will now become an asset.
In part one, we outlined how your IT infrastructure can be a competitive advantage. This blog will outline a high level strategy to implement.
1. IT Considerations
Your IT infrastructure will typically consist of hardware and software components. Hardware and software would typically crossover into compliance. For example, if you have network jacks in open areas, they should not be live if you want to be PCI compliant. Group policies for end user staff may help mitigate risks if they are properly defined on what permissions and software are authorized for use. You may want to investigate if your firewall has the latest technologies such as NGFW (Next Generation Firewall) or UTM (Unified Threat Management) to handle rising threats that your typical anti-virus/malware software will not be able to stop. BIT utilizes firewall products from WatchGuard that have both technologies and have pre-built reporting for compliance purposes with its Dimension software.
2. Business Continuity and Disaster Recovery
Only 35% of Small Business have Disaster Recovery Plans. Surprisingly, 70% of the business that do have DRP in place, their backups and plans are not successful. Creating and documenting your DRP is the first step. The plan should include periodic testing, training and also an audit review. In the past few months, ransomware has targeted hospitals and unfortunately in some cases payments were made to restore data and operations. When you calculate the downtime and lost productivity to business, the cost of the ransom is probably a small part.
3. Policies and Compliance
All policies should be documented. Does all the staff know their BYOD policy? You need to double check where IT and regulatory compliance cross over. A good example is where data is stored or hosted. Health based companies in Canada may have to store their data in Canada. To make matters confusing, every province has different rules. If your organization handles credit card transactions, then you need to have a high level awareness of the 12 PCI DSS ( Data Security Standard ) requirements. When implementing policies and compliance it is important to realize that input and involvement would probably require departments from the whole organization rather than just IT.
4. Cybersecurity Plan
Ian Russell from IIAC mentioned that an Incident Response Plan (IRP) should be developed. “If you don’t have a plan, valuable time will be wasted trying to figure out who should be doing what.” The most critical component of your plan involves periodic user awareness training. With ransomware on the rise and record number of CEO fraud committed, awareness training should also be part of a plan and conducted on regular intervals. As larger corporations invest more into security, cyber-criminals will go after easier targets such as SMBs. Even if you have everything from above implemented and documented, there is still no guarantee that your organization could evade an attack. Some organizations have even added cyber insurance policies in addition to typical officer and director insurance and executive may have.
If you want more information on how to prepare your own plan please contact us.