Cybersecurity DIY Do’s and Don’ts

Oscar Wilde once penned the advice: Experience is simply the name we give our mistakes. Building a cybersecurity program from the ground up can be a massive undertaking. Learn from the experience of someone who built the program used by one of the nation’s top 100 banks.  Here’s a list of things to guide you in pursuit of architecting the cybersecurity of your business from the ground up.

1.   Set your expectations.

If you attempt to focus on everything, you won’t achieve anything.  You need to set a few achievable goals that might sound something like this:

·       I want to do as much as I can without spending a dime.

·      I want to be reasonably protected as fast as possible.

·      I want the best protection I can afford.

·      I want to make sure my payroll system is protected.

·      I want to make sure I don’t lose this particular database to ransomware.

2.     Understand your business.

Your cybersecurity program needs to protect the people, processes, and technology used to convert opportunities into value, and coming up with security without understanding the business would be like an insurance salesman selling boat insurance to a man who doesn’t own a boat.  Start by answering these questions for each revenue stream:

People Questions                                                  

Who generates value?

Process Questions                                

How is value generated?   

Technology Questions

What systems or tools are used to generate value?


Take a well-known paper company for example:

People Questions

Who generates value?

·        Dwight, Jim, Stanley, Phillis handle sales

·        Darryl and Craig manage inventory

 Process Questions 

How is value  generated?

·        Sales staff call customers and key sales information into the computer at their desk.

Technology  Questions

What systems  or tools are used to generate value?

·        Sales desk computers, sales information system

·        Warehouse uses box trucks to deliver product

 

Once you have a few questions about your business together, run a highlighter over each of the nouns in your chart.  Imagine what happens when something happens to each of the highlighted words:  What happens when Dwight gets a new job?  How will sales staff keep track of sales if the system goes down?  These questions are the starting point to performing Business Impact Analyses (BIAs),completing which should be considered a long-term goal for your business. Our friends at Ready.gov have some excellent supplementary information on BIAs at the link below.  

https://www.ready.gov/business-impact-analysis

Your program won’t be complete until you’ve performed this exercise for all of your processes – not just the ones that are measured in Accounts Receivable, but focusing on revenue-generating processes is an excellent place to begin.  

3.   Start leveraging the security features you already have.

In step 2, our paper company identified a critical system: the computers at each sales person’s desk.  What security features are already built into those systems?  Most devices have a treasure trove of security settings just waiting to be configured. Small businesses will struggle here, as they’re typically caught between consumer-grade tools and large enterprise security with an overwhelming cost.  It’s important to remember the goals we set instep 1; don’t get distracted by whether or not the antivirus built into your operating system is good enough. Take advantage of what you have today, remembering that even a bad strategy usually beats no strategy at all.

After setting up device-level security, where else can we find security settings?  Nearly every application you use, from Google Apps to payroll systems and databases- nearly every application will have its own security settings.  It’s easy to get lost here, especially if you’re in a major application suite like Office 365,so try to keep an eye out for things like 2-Factor Authentication (2FA) or MultiFactor Authentication (MFA) settings. These systems can be tedious to set up and can invite criticism from your workforce, but a business that uses MFA is more secure than one that only relies on a password.  

Pull quote: Wherethere is no vision, the people perish.

4.   Put your strategy into words.

Don’t let the work you’ve done so far go to waste.  The best way to stay protected is to document your strategy.  Keep this document short and write the vision. Use emotional language that describes the goals you set in Step 1 and marries them to work you performed in Step 3.

My Paper Company provides the most secure sales experience we can afford, and we do that by requiring every sales person to enroll in MultiFactor Authentication.  When we buy new technology, we will always ask if new applications support MFA.

Add some verbiage in there about how your device security fits in, put it on the company letterhead, and call a staff meeting.  You’ve just put together your Information Security Policy.

5.   Make it important.

If the company’s leadership doesn’t care about the new policy, no one will.  When disseminating your new policy to coworkers, simplicity is key.  More effective than a 20 slide PowerPoint or weekly meeting is simply stating these words: “This is important to me, and I want it to be important to you, too.”  

An inconvenient truth in cybersecurity is that a program is never complete, because there will always be new ways to steal money, information, and access.  Performing these steps alone doesn’t turn your business into Fort Knox, but it does give you a starting point – and that’s something you can work with.