If your business handles customer data, the past few months might have raised some worrying questions about how secure your systems are and the implications of bringing them up to scratch.
The good news is that cyber security isn’t necessarily an expensive investment in new tech or personnel.
If you’re a small or medium size business looking for practical cybersecurity advice, then a great place to start is CISA.gov, the USA’s Cybersecurity & Infrastructure Security Agency.
While there is already great information available here in Australia, the recent attacks on Optus and Medibank and their commonalities suggest that digital security needs to be prioritised.
Owning Digital Security
The great thing about CISA’s guidelines is that they break down advice into manageable chunks, distinguishing between roles within a business. They also make an important point: company directors must not assume that cyber security is the sole responsibility of IT professionals.
To protect a company against malicious attacks, the key thing is to create a culture of cybersecurity that starts at the top. The CEO or MD must commit to putting in place people and procedures designed to minimise the possibility of a data breach.
A crucial step CISA suggests is the appointment of a Security Program Manager. The key takeaway is that this person need not be a security expert or an IT professional.
This person’s responsibility is to ensure that cyber security processes and procedures are followed and report to senior leadership at least once a month on progress made and any roadblocks encountered.
Think of them as your cybersecurity implementor rather than a tech wizard.
Multi-Factor is Essential
Once this person is in place - or even before if you’re able – the next step is to implement Multi-Factor Authentication across the company. MFA is not the final word in protecting against cyber-attacks, but the great thing about it is that it protects against so many different types of attacks.
To get started, your Security Program Manager should audit your business’s systems and data to create a list of the endpoints that need to be protected and the data they contain.
If it helps, picture a physical filing cabinet containing all your customer’s key information. Now, who in your business has the keys to that cabinet? And what is the potential for them to inadvertently let those keys slip into the hands of an opportunistic thief?
Once the initial audit and enablement are done, don’t stop there. Implement compliance protocols ensuring that MFA continues to be enforced across future system launches, updates, user onboarding and offboarding.
Don’t be the Low-Hanging Fruit
Another key thing to remember about cyber security is that many criminals look for the most vulnerable systems to focus their attacks on.
So, if you don’t want that to be your business, don’t be the low-hanging fruit.
By making it more difficult for criminals to gain access to your data, they are far more likely to move on to the next potential victim that hasn’t been as diligent in their defence, rather than go to extra lengths to gain access to your systems.
Endpoint Awareness
The last thing to be conscious of is your company’s various endpoints, with mobile phones likely at the top of the list for many organisations.
Using that filing cabinet analogy, think of a mobile phone as a filing cabinet the size of a stadium that can be lifted out of a pocket or accidentally left on an Uber seat. Now ask yourself, how secure are those devices, what access points do they contain, and what would be the implications of someone outside your company getting access to it?
This brings us back to MFA as a multi-purpose line of defence and why it should be the first thing on every company’s cyber security agenda.
Minimise your Data Footprint
While this advice has been focused on preventing bad actors from accessing your data, one other crucial thing that all businesses can do to prevent data from falling into the wrong hands is not to have it in the first place.
Conduct a data audit and ask yourselves seriously as a business whether you need to hold onto all client and customer data. Get rid of anything you don’t need – responsibly and thoroughly, of course.
So, there you have it. That’s just our top-line guide on how to begin the journey to become a cyber security-conscious business, and for more info, we’d encourage everyone to head over to cisa.gov/small-business for the guidance in full. And if you’re looking for help putting this advice into action with your new or existing apps, websites, and software solutions, we’d love to help, simply contact us here.