Every business owner or leader needs to take steps to protect their organization from potential cybersecurity threats. Business leaders know their business but often do not know where to start with identifying where to start their cybersecurity journey.
Here’s a framework to get started.
Step 1: Identify your business assets. That’s just a fancy way of saying you need to make a list of all your computing devices, applications and data that your business uses and stores.
- Identify where each asset is located and who has access to it.
- For all your data, determine the importance and sensitivity, and think about potential problems if you no longer have access or if it falls into the wrong hands.
Step 2: Evaluate your current security practices. What are you currently doing to protect your sensitive information? This includes not only electronic measures, but steps to keep unauthorized people from physical access.
- Be sure to review your existing policies and procedures related to cybersecurity.
- Evaluate the physical, technical and administrative controls (fancy word something you do to protect data) you have in place.
- Take note of how you handle updates to software.
- Consider doing a vulnerability assessment or vulnerability scan.
Step 3: Identify potential cybersecurity threats. These are bad things that can happen that damage, steal, or disrupt, or generally cause harm to your business. Ask some questions and write the answers down…
- What are common threats to all organizations?
- What are threats that are special to your industry?
- Are there threats more likely than others?
- What would be the impact of the threat causing harm?
- For each threat you identify, consider the impact of the threat and likelihood of it happening. Together these can be used to prioritize the threat to address first.
Step 4: Create a cybersecurity plan. The plan should address the highest-risk threats identified above.
-
- Create policies and procedures that support the plan.
- Assign staff (or maybe just yourself!) with roles and responsibilities to the plan.
- Modify your budget to make cybersecurity a priority.
- Be sure to include the necessary work for responding to a cybersecurity incident.
- A plan doesn’t do any good unless you implement the plan (see the next step).
Step 5: Implement the cybersecurity plan. Make sure someone is responsible to do the necessary work.
- Implement any technical controls (like 2-factor authentication or immutable backups).
- Ensure all staff know and understand their responsibilities with new policies.
- Update software and hardware as needed.
- Conduct cybersecurity training for everyone.
Step 6: Monitor the plan and test your security. This step helps you to know the plan is working.
- Many cybersecurity frameworks require you to regularly conduct vulnerability assessment, monitor security logs, perform staff awareness training and review/update security policies.
- Be sure to also plan for annual review of the cybersecurity plan and adjust as necessary.
These steps can help the small and mid-sized business to keep their cybersecurity in good shape to protect the assets of the organization. Review the plan. Update the plan. Make sure what you are doing is relevant.
