In the first and second posts of this three post series, we looked at the essentials “must-haves” of small business cybersecurity, and then at a more advanced list of “better-haves.” In this final post we will look at some advanced concepts and planning that typically are part of the cybersecurity process at larger enterprises. For a small business owner, this may seem like a lot to go through, but again, working with a cybersecurity professional or firm that specializes in this would be best. They have been through the process before with many other clients, and it is a simpler thing for them to complete these tasks than it would be for you to undertake them yourself.
Here are the final 3 steps in creating your cybersecurity plan:
- When considering the costs associated with your cybersecurity program, compare them to the losses you could sustain in the event of a breach. Loss of funds in a compromised bank account are easy to calculate, but consider what the loss of proprietary information, plans and processes could cost your firm. Loss of customer or employee personal data could result in identity theft, and could result in lawsuits and hefty regulatory fines. Average losses to businesses in the US to cybercrime are about $1500 per employee. If you can reduce this amount in your business through a cybersecurity program, this is where you find your budget.
- Develop a contingency and disaster recovery plan. In the event of a cybersecurity breach or other network impacting event, have a plan in place for quickly recovering your business operation. Don’t limit yourself in this exercise to cybersecurity consideration, but plan for fire, flood, burglary and other theft. You need to make a complete inventory of all the computers, servers, printers, and other network devices of course, but a complete inventory of other physical assets will be needed in the event of insurance claims. Store a copy if this document off-site.
- Develop a computer and network use, and cybersecurity policy manual and train it to your staff, especially any new hires. Here again, both the policy creation and the training piece may be best assigned to a specialist in the field.
So that wraps up our series on business cybersecurity. If 2015 is the year you are going to take this issue seriously for the first time, this article and the NIST monograph linked below are a great place to start.
NIST: Small Business Information Security: The FundamentalsShare
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com