The recent security breach at Sony underscored not only the need for better security in protecting sensitive internal documents and information, but also the appalling lack of care being taken on an individual level to protect passwords and manage sensitive conversations and data.
As a business owner or manager, you've heard time and again how important it is to delegate in order to streamline processes and be more productive – and more profitable. Delegating does not mean turning a blind eye, and when it comes to cybersecurity you need to take an active role in ensuring your data is adequately protected.
The key to effective management begins with understanding the types of threats that exist and how they're evolving, and with identifying new threats as soon as they begin to emerge. Management should develop actionable steps to counteract potential breaches, looking for weaknesses at every level: individual employee passwords and use of personal devices like smartphones; the way data is encrypted and stored in the cloud; and how files are kept on any on-site or remote servers.
Regular reviews and external assessments can help find gaps an internal team may miss; consider a Security Audit Insurance review to document vulnerabilities and remediation plans.
Strong, company-wide policies backed by employee education programs and Q&A sessions are the cornerstones of an effective cybersecurity policy. Managers must clearly communicate to employees at every level the roles they play in protecting the company so BYOD and other policies are seen as protective rather than punitive.
Involving employees in cybersecurity discussions also helps ensure their cooperation and compliance. One more lesson from the Sony breach: the attackers focused on employee emails, revealing information that proved both embarrassing and potentially costly, so many businesses fail to consider emails and personal files when designing security measures.
Physical security and vendor oversight matter as well; coordinate IT efforts with on-site teams and review relevant insurance and vendor protections such as Security Agencies Insurance where appropriate to ensure access controls and incident response plans are aligned.
In a nutshell, companies that assess and manage cybersecurity issues as vigilantly as they do financial, operational, and reputation risks have the greatest chance of thwarting attacks and breaches. Start today to plan how to avoid breaches as well as how to respond if a breach does occur, and if you need help, talk to an agent.
Frequently Asked Questions
What basic steps should a small business take to improve cybersecurity?
Start with strong password policies, multi-factor authentication, regular software updates, employee training, and clear BYOD rules.
How often should access privileges and passwords be reviewed?
Review access privileges at least quarterly and require password changes or multi-factor authentication when roles change or on a regular schedule.
Should employee emails and personal files be included in security planning?
Yes; include email and personal file handling in your policy, and apply encryption, retention limits, and monitoring where appropriate.
When should a company involve outside experts or insurers?
Bring in outside experts when internal resources are limited, after a security incident, or when conducting a formal risk assessment or audit.