Data Privacy Day is a great time to review cyber security best practices that organizations can follow to safeguard its sensitive data and information. Arroyo Consulting’s security team is led by Frank Platt, a 20-year cyber security and risk management professional. He offers this advice:
“Cyber security is all about risk reduction,” Platt said. “Everyone within an organization has a role to play in increasing the company’s security profile and making the environment – whether physical or cyber –more secure. I believe these three tips are critical for large and small companies since we are in a global business environment where information is steadily under attack.”
1. Develop an internal culture of safety awareness that emphasizes training and education. Cyber security starts with the education of senior leadership who must understand that their people are the first line of defense in any security program. Employers should ask themselves, “how am I training my employees to be situationally aware? Are they knowledgeable of the recent sophisticated email campaigns that lure them to open suspicious messages or malicious attachments?”
While safety training is important for the end users, it is also critical for the application development team and network engineers. Developers are constantly working to quickly deliver code. In their haste to complete an application, a security review may sometimes take a back seat. Network technology is continually changing and evolving. There should always be a final check for any gaping errors in the code and network systems that would introduce security vulnerabilities.
Having a comprehensive culture of safety training allows staff and employees to be aware of the need to actively participate in reducing risk and increasing the organization’s security profile.
2. Identify and classify your data and information assets. Organizations should clearly identify their high-value vs. low-value assets and determine what level of protection each receives, because we have limited capital and where we choose to spend our resources is critical. For example, if I am responsible for securing a toothbrush, a watch and a computer in my house, I will most likely use more resources to secure the assets with higher value.
The same is true in a cyber security environment. Organizations should complete an assessment to clearly identify its assets and put them in one of three classifications:
a. Public information (this could include information that is readily available on the internet or other public sources)
b. Private information (for example a recruiting database that contains candidates’ career profiles and contact information)
c. Or sensitive information (this could include an organization’s human resources and payroll files)
A business’s ultimate goal should be establishing systems for securing the more sensitive information in high-value vaults that have the most restricted access by internal personnel and external threats.
3. Develop an incident response plan. Last but not least, organizations should be prepared for an incident or security breach should it ever occur. Incident response plans should be in place and occasionally tested – such as table-top testing to measure an organization’s preparedness for disaster. There should also be legal, forensics and public relations teams in place so that if the worst-case scenario presents itself, the business is ready to respond and minimize damage to the information infrastructure, business operations and the brand.