Research shows that 62% of small and midsize firms do not have a current strategy in place for managing cybersecurity or safeguarding against cyber attack. Michael Markulec, Vistage Chair and partner & co-founder of Harbor Technology Group shared the following insights on how process is essential to managing network security for your company.
Managing cybersecurity can be like managing accounting, manufacturing, or even sales. Small and midsize businesses (SMBs) have accounting systems in place and follow generally accepted accounting principles (GAAP). They also might follow standard rules for their manufacturing environments with lean manufacturing or ISO in place. Even in sales, processes are in place for sales teams to ensure success.
But as SMBs look at cybersecurity, it’s mistakenly viewed as some kind of black art. The use of proper frameworks and regulatory guidance are important steps for SMBs to be successful in defending their organization, and more importantly, their organization’s data and intellectual property.
Know your frameworks
NIST, the National Institute of Standards and Technology, originally developed a cybersecurity framework for federal agencies. NIST has now come out with version 1.1 of their framework, which focuses on SMBs, giving them authenticator tools and frameworks that they need to be successful. Frameworks are key for managing your plan.
Meer weten over Vistage?
Liever persoonlijk contact?
5 tactics for addressing cybersecurity
- The process starts with identifying your critical assets, understanding where your data is, and understanding who has access to that data. Not all employees need access to all files, and certain measures like acceptable use or confidentiality agreements can protect your data.
- The next step is a protect phase, where organizations put measures in place to protect their data. Consider the defensive controls that are in place as well as the technologies. At times, companies might overspend on the technologies, thinking that is a magic bullet. There are other measures to consider in this phase.
- The third phase is a detect phase. How do you detect when something bad has happened? Most businesses that are hacked typically don’t receive a warning. Ransomware is easy, it comes with a warning. Business email compromised, you know when they transferred funds. Sony only learned of its hack once the information was published on the internet.
- Once a company learns of a compromise, they need the ability to respond, which is the fourth phase. This is one of the areas where most companies fall down. Even if they have robust defenses, they may not have an incident response plan for when bad things happen. A communication plan is essential. What are clients told? How are customer support folks kept abreast of developments during the process of handling a breach? What other partners and vendors need to be notified and when?
- And finally, you need to be able to recover. You need to get your feet back underneath you and drive your business forward. This looks like a disaster recovery plan. Just like a plan that is in place for a fire or natural disaster, consider a plan for your cyber assets as well.
This framework provides CEOs with a set of controls and clearly stated tasks that can be reviewed with their company’s IT professionals, whether they are internal or external, to address cybersecurity concerns and mitigate risk for the organization.
About the author: Anne Petrik
As director of research for Vistage, Anne Petrik leads the design, deployment and analysis of member surveys for Vistage, capturing the sentiment and practices of the Vistage CEO community. This analysis, in collaboration with perspectives from experts and partners, helps create insights for SMB CEOs through the thought leadership published by Vistage.