6 questions You Need to Ask Your IT Team About Your Company’s Cybersecurity Defense
Many executives make the mistake of thinking that if their cybersystems are working right, their business must be maintaining adequate information security programs. If airlines used the same logic for their planes, they would only perform repairs when something failed. In most cases, that would be too late to save the plane or the passengers.
Like an airplane, your information security systems need to be checked before, during and after every use in order to identify the minor glitches that can lead to catastrophic failure under stress. They also need to be pulled out of service from time to time so they can be checked and overhauled more thoroughly.
Six Cybersecurity Questions CEOs Should be Asking
Most executives don’t have the technological experience to analyze systems on their own, but there are questions you can ask your team in order to gauge the effectiveness of your current information security strategies. They include:
- Do we have an information security program?
This may sound crazy, but some businesses do manage to get by with just a collection of different security practices that don’t link together to form a solid wall around your data. If you ask this question, the answer should describe a network of interconnected hardware, software, and employee training and awareness protocols that form a cohesive defense, not a list of standalone items like passwords and anti-virus software.
- What is the organization’s information security framework?
Most programs are based on an information security framework, which is basically a checklist of best practices readily available from places like the National Institutes of Standards and Technology (NIST). Is your IT Department and cybersecurity team using a checklist and reporting results to you?
- Have we done an information security assessment? If so when, and what were the results?
An assessment is basically a review of your current information security program using the framework checklist. On an ongoing basis, your systems should get a thorough review, and you should get a thorough briefing, to make sure that your company’s cybersecurity defenses are adequate to address the latest threats.
- What is our information security commitment? Does our information security budget commitment match our threat level?
Cybersecurity budget numbers will drive what your business can do within the budget period. If your assessment shows that information security is lacking, what resources are available to improve it?
In an upcoming blog post, I’ll be discussing cybersecurity budgeting in greater detail, but to give you a bird’s eye view of what spending looks like on a worldwide basis, look at the following data from Gartner, Inc.
The takeaway? Spending has increased by about 23% over the past 3 years.
- What is our information security training?
Information security training needs to work at two levels. You need your information security staff to learn constantly about the new threats that businesses face. But a business’ information protection efforts are only as strong as its least wary employee. Everyone who touches a keyboard linked to your servers, even people who use private devices on your Wi-Fi network, can expose your digital assets to breaches, viruses and ransomware.
All those users need to stay on the lookout to prevent an attack, and you need to know how your IT team is bringing employees to the battlefield when it comes to protecting your company and its customers from hackers.
- What is our plan for an information security failure?
These days, no information security plan is complete until it acknowledges the possibility that it can be breached and includes instructions for people to follow if that happens. Customers are much more willing to forgive a breach when a business shares accurate information about it quickly and helps to minimize the damage done.
Review your company’s plan with your IT and cybersecurity team, and if necessary, engage the services of a cybersecurity consultant to help you prepare for a response to a breach to your customer’s data and your reputation.
Put a Cybersecurity Assessment, Remediation and Action Plan in Place
With the information gained from a self-assessment, many executives wonder what their next step should be.
Above all, do SOMETHING.
Many organizations paralyze themselves trying to choose between good options when the most important thing they need to do is move forward. For example, say a business performs a security assessment and determines that their password protocols are weak. To strengthen protocols, it could either require longer passwords with a wide variety of characters that remain stable over time or it could allow less rigorous passwords but require that they be changed frequently. Either option is a positive step. But every day that the business delays implementation with discussions about which is best is a step backward.
When you’re ready to do something, here’s a suggested order for addressing your information security concerns:
- First, protect against the major vulnerabilities.
- Next, implement changes that address multiple weaknesses. Some improvements can address several red flags on your checklist at once.
- Fix the easy stuff. Some changes can be as quick as instructing all employees to change their passwords this week. If vulnerabilities have been identified in connections to the network from offsite, a temporary ban on telecommuting could prevent a situation from getting worse while you work on a more permanent fix.
Contact the Cybersecurity Experts at Datasure24
For more information about maintaining and improving the day-to-day information security functionality of your business’ systems, contact DataSure24 at 716.600.3724 or connect with us here.