Prepare yourself for a harsh truth; technology cannot always protect you. In fact, a large amount of attacks are aided by a company’s lack of requirements and restrictions, not the lack of the newest software. When creating a security plan you need to build your strategy from the ground up by beginning with finding where threats can come from and defining what non-technology-based barriers you can put in place as a preventative measure.
To ensure you are prepared for an attack from all directions, break security into four categories:
Although you may not think about it now that so much information is kept digitally, it is still vital to protect your physical office building. Employees feel safe inside the office and tend not to be concerned about leaving around documents containing confidential information; why would they if everyone in the office has access to the information anyway? But, what if you are not properly restricting access to your office? It would be very easy for someone to come in, take a picture of the important information, and leave.
Physical security requires that you know who is in the building at all times. Employees should use key cards that only allow them access to where they need to be and guests should be given badges to identify them and require an escort. Don’t ignore this category of security. It would be bad for business (and kind of embarrassing) if you invested time and money in digital security and an attacker stole from you using information they grabbed off a desk.
Yes, IT security contains components that are not necessarily technology based, and the most important of those components is restriction. This idea is simple – don’t give everyone access to everything. How you go about giving people access to only what they need is up to you. You can simply avoid giving some people access to a server, or create separate servers for each department.
Cyber security relies so much on employees making smart decisions online that it could be beneficial to write up a separate cyber security plan in layman’s terms to distribute to employees.
Cyber security includes teaching employees the importance of password protection, avoiding making transactions over public WI-FI, remaining vigilant about watching for spam emails, and the rules surrounding BYOD. This sounds very straight forward, but many people are still ignorant to the importance of cyber security and hold the “it won’t happen to me” mentality; in fact, “password” is still the most common password. Don’t ever assume that people know the rules of cyber security – teach them all, even the most basic.
Records management is where you will likely get the most push back from employees. If you want to protect your records, you need to regulate what format they are in, where they are kept (paper and electronically), who keeps them, how long they are kept for, and what happens to them at the end of their life-cycle.
This is a big task, but if you allow duplication of confidential information, storage on unsecured servers, or improper disposal, you could be setting yourself up for an attack.
All of the above security measures may seem like common sense to you, but you are a security expert; many of the people you are managing know only as much about security as your teach them. Take the time and effort to tackle these non-tech, educational preventive measures and we bet you will be pleasantly surprised at the decrease in security issues.