So here is the follow up from yesterday’s post and the last five advice to you.
It is not a question of if your IT will be compromised. It is a question of when. Postponing it and minimising the damage when it happens, is of the essence.
A Danish Market Analytics Company had a bad experience with a recent cyberattack. Not only did it cost them a lot of money, essentially turning a possible profit into a loss, it also laid bare areas of improvement. A lot of companies choose not to talk publicly about being under attack and while that may have its good reasons, we at Gabiray recommend being as open as possible, about the situation. For the benefit of everyone, the Danish company complied a list of advice that they are now sharing with everyone. We have taken the list, adapted it and elaborated it, with our perspectives on how to better manage your IT Security. (Read the first five here)
#6 Have a procedure for data processing agreements.
In fact, have processes for everything, and remember that on the back side of every business process, there is an IT process. When it comes to data processing agreements, it is all about how your vendors store and process your data securely. As mentioned yesterday, in relations to using apps and plug-ins, you need to understand how your data is handled when it is out of your hands. Your vendors are an open back door into your systems, if they do not take care of your data and their connections to your systems correctly.
#7 Educate everyone in the value and importance of IT Security.
This really should be atop the list. Almost all cyberattacks exploit humans. From phishing, where fraudulent emails try to make you click things and submit info, to social engineering where an infected USB drive is left in a parking bay of an office, only for an employee to pick it up and put it in their PC. (Yes, that happened).
Conduct regular IT Security trainings. Create Security Awareness Campaigns. Conduct tests of peoples responses. Gamify Security to engage your employees. The opportunities are endless.
#8 Remember to high-five each other for being diligent with IT Security.
It is not a waste of anybody’s time, if someone reports a suspicious Security Incident. No matter how bleeding obvious it might be to you, that this is perfectly legit, it might not be to others. And if people are shunned for raising the flag, you can be sure they won’t do it again. Throughout your organisation, your employees have to be right all the time in stopping cyberattacks, the hackers only have to right one time. So create a culture of cool around raising Security Incidents. Condone any behaviour and initiative, that helps everyone stay vigilant.
#9 Tell the truth, also in emergencies. It pays off to keep an honest conversation.
Do not be ashamed your company has come under cyberattack. As said in the beginning of this post, it is not a matter of if, but when. Tell your stakeholders right away and the press if they ask. If you do not know exactly what happened, say that. Cybercriminals will notice your behaviour and they certainly think it is easier to do shady deals with companies when it happens outside the limelight. Shine a light on what you are doing to remediate the situation. What are you doing to keep your customers out of harms way? What are you doing to ensure the situation does not get any worse? What do you do to ensure your employees also have a job tomorrow?
#10 Hug your Compliance Officer. They are the most important bureaucrat you will ever know.
Anyone who has been grilled by the Compliance Office or an external auditor in say ISO standards, will know how easy it is to be filled to the brim with resentment towards these nitpickers and their insane level to detail. But rest assured. They are doing it for your sake and for your companies sake. When they keep drilling into areas, it is because they want the best for you. They want you to be resilient, not towards them, but towards the threats their processes aim to thwart.