So you’re a small to medium sized organization – let’s say up to 500 employees. If you don’t have a cyber security program, where to start?
You need to discuss, plan and then act to ensure an appropriate level of cyber security for your operation. Repeat, act on your plan. Don’t be like the many that wait until a crippling event like a breach or a ransomware attack that brings an operation to a grinding halt and rips customer and employee confidence to shreds. And then they act after the fact.
So you need a cyber security program and it needs to be acted upon. What are some of the key elements?
If you have no plan at all, a security threat and risk assessment (often called a “security assessment” for short) is a great place to start. A security assessment looks at the business you are in, what sort of information you manage and your reliance on IT systems, and the relevant legal and regulatory requirements. With that in mind, the assessment takes a look at how your IT is operated and managed to identify any major risks faced by the business and makes recommendations on how to address the worst risks. A good assessment will give you a high level action plan. Once you know the risks you can prioritize how to address them within the constraints of your business plan.
It’s a good idea to repeat an assessment periodically depending on how quickly your operation is growing and the field in which you operate is changing.
At least once a year you should have a pentest. Short for a penetration test or sometimes called “ethical hacking”. A pentest simulates the attempts of a hacker to get into your IT systems and disrupt their operation or steal information. It can range from a fully automated process through to a more complex undertaking involving customized approaches depending on how attractive a target your business presents for possible cyber attackers.
None of this is new. But these basic measures will greatly help.