I Have Limited Time and Budget; How Do Start?
By Tim Marlin
1. Build a Security-aware Organization
- A written information security plan. This plan should identify the organization's security policies, goals and priorities, and include, at a minimum, your policies for network security; use of company email, social media, instant messaging and the Internet in general; the handling of proprietary company information; and activities that are prohibited on company-owned devices, networks and other resources.
- Many state regulators request written information security plans when investigating organizations that have experienced a security breach. Having a plan in place not only establishes internal policy for employees, it can also demonstrate to regulators and customers that security is a priority for the organization.
- An inventory of the business's core assets and sensitive data. Identify where this business information is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.
- Access control. Limit access to computers, company networks and confidential data based on an employee's need to know.
Employee training programs. Workplace security depends upon a workforce that is trained in company protocol, alert to the signs of a potential breach and knows how to respond. Training on basic security practices and policies is essential. Phishing awareness exercises can further help employees recognize and avoid email, websites and phone calls that are designed to infiltrate company systems or steal personal information.
2. Establish Security Safeguards
- Encryption for laptops, desktops and mobile devices. Encryption encodes information so that only the person (or computer) with the key can decode it. While it is not a full security solution, encryption remains highly recommended for all devices, especially those that contain sensitive information. Most newer model mobile phones and tablets come with auto-encryption software pre-installed. Many privacy and consumer protection statutes also recognize the importance of encryption in protecting customers' information and provide safe harbors within the statutes to incentivize businesses to adopt the control.
- Cloud service providers. Outsourcing security management to cloud-based providers is an increasingly viable alternative to an in-house security program. Cloud providers offer expertise in identity and vulnerability management that the SMB needs but often lacks while helping to lower the SMB’s operating costs. However, SMBs should negotiate with providers to ensure they get the security and privacy services that best serve their company's protection needs.
- Password protection and authentication controls. Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
- VPN (virtual private network) for remote access. For organizations with remote users, VPN provides a secure channel through the Internet to the SMB’s private network. VPN controls include encryption of all data that is transmitted over the channel, multi-factor authentication, strong passwords and automatic timeouts after a period of inactivity.
Vendor security. SMBs need assurance that any vendors with which they share company information makes security a priority. Before entrusting your data to a third party, get in writing the vendor’s specific controls for protecting sensitive information and augment them with additional controls if necessary. Also require the vendor to return or destroy all sensitive information upon termination of the contract.
3. Prepare for the Worst
- Identification of an incident response team that includes, at minimum, security staff who are system-savvy and a manager authorized to make decisions on behalf of the business.
- Clear delineation of possible incidents (such as unauthorized access or malicious code) and how to identify and contain them based on the business impact (confidential customer data vs. intellectual property).
Procedures for eradicating the root cause of the attack and all traces of malicious code, restoring data and software, and monitoring systems for any remaining signs of weakness.
Find an Insurance Carrier That Provides More Than Just Coverage
Publicly Available Resources
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- "Security and Privacy Controls for Federal Information Systems and Organizations," NIST Special Publication SP 800-53
"SANS: 20 Critical Security Controls You Need to Add," Network World, October 13, 2015
About the Author
1 2015 Internet Security Threat Report, Volume 22, https://www.symantec.com/security-center/threat-report
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds.
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.