Whether an organization is considered a small, medium or large size business, cybersecurity expertise is needed. Without it, the company is vulnerable to attack and is putting their risk in the hands of others.
Cybersecurity is important to the company’s overall success in today’s digital age. Information is being accessed by malicious parties and hackers that can poke around at internal and external communications. Not to mention, financial transactions too. By having a cybersecurity plan and team in place, you can dramatically decrease your risk of attack as well as increase the likelihood you can recover quickly and fully.
Also, having a team actively focused on your cybersecurity will improve the perception of your business to your staff and customers.
It doesn’t matter if the business is a high-tech goliath or a low-tech local business with only a handful of employees; a critical component of a well-established, well-managed organization is effective cyber governance. Though the more “tech enabled” the business, the greater the risk.
The SEC Keeps a Watchful Eye
The SEC, or Securities and Exchange Commission, has been updating and expanding its guidance. The “2018 Guidance” or “Commission Statement and Guidance of Public Company Cybersecurity Disclosures” recognizes, quite profoundly, the importance of the role cybersecurity plays for both a stable market and a company’s health.
To supplement the SEC’s effort, they have created a cybersecurity website. Companies can visit www.sec.gov/spotlight/cybersecurity for compliance toolkits, educational resources, as well as helpful alerts and bulletins. There is an email update signup form on the right-hand side to receive news on cybersecurity.
Further, the SEC has a “Cyber Unit” that targets and finds a multitude of cyber-related misconduct. This includes market manipulation which can spread by hacking, false information, intrusions and attacks on market infrastructure and trading platforms.
If the SEC is telling us to be watchful over cybersecurity, then businesses must heed that warning. US companies must be proactive and prepared.
Cybersecurity Candidates are Not All Created Equal
According to a recent Forbes article, there may be a bit of inequality for businesses based on size because top cybersecurity talent want to work for big companies with interesting problems. The tasks offered by a small bank, for example, may not seem as attractive as a large aerospace company with thousands of employees globally.
It’s not just the scope of the business, it also comes down to dollars. Bigger organizations can offer the high salaries that the niche cybersecurity candidates demand. DICE released a recent report that the average job title of “Directory of Security” earns greater than $178,000 annually, which isn’t surprising due to supply and demand.
But what does all this mean to small and mid-sized businesses?
Build Your Cybersecurity Team Right Now
It’s a simple thing to tell an organization to “create your cybersecurity team.” It’s a completely different thing to have a well-prepared cybersecurity team, with a plan that has been tested recently.
It starts with focusing on cybersecurity proactively.
You can either hire someone from the outside, such as a fulltime specialist or a consulting firm, you can task your internal resources, or you can ask one of your current IT providers to add this to their scope of work.
This doesn’t mean you should outsource it; it means you can have a resource help you create cybersecurity efforts, which should definitely include an internal team focused on mitigating the risk of hacks, pre-planning the response and recovery process, and dealing with the inevitable attacks when they come.
How to Get Started?
Step 1: Look around your office.
- Who and what role would most likely be tasked with leading the recovery after a hack attack? Unsurprisingly, if you are a smaller business, this might land on the President’s desk.
- Who would the President bring into the room to help with any cybersecurity and hacking issue?
- Who would you call from your current supplier base?
Step 2: Get the team together. Right. Now.
Pull all these people into the room, as soon as you can (Why not set that meeting up today?) and let them know you want a customized cybersecurity plan BEFORE you get attacked. You and they can start with HigherGround’s hack attack plan.
The plan should include staff training on cybersecurity and hacks, a review of your physical security, a review of your IT infrastructure and back ups, and scheduled recovery “pressure testing”.
Step 3: Make the meetings and tests recurring.
Set schedules for when you will meet to review the plan and test the process. Cybersecurity is a process not an event.
And keep the document up-to-date and in a place where all key team members (and no potential hackers) can find it. Tip: Make sure file management is also part of your plan, ensuring only the right people can access your critical data
Regardless of the size of your business or the size of your IT budget, always plan for someone to concentrate on cybersecurity, and make sure to review the process on a scheduled basis.
This will minimize your security risks and help keep your business focused on other important tasks, like building profits.