As a non-IT executive that has responsibility for IT, I often feel "outgunned," especially in the area of security. Like everything else technical, I'm sometimes unsure if the direction we've taken is the right one. I'm responsible, but I'm usually led by employees and vendors, not my own knowledge.
The following questions are designed to empower you to have a meaningful discussion with your IT team and protect the assets and reputation of your firm.
1.Do we have a documented security plan?
Our previous blogs have alluded to the necessity of creating a thorough security plan which includes a communication plan. Our approach is simple: pretend you've already been breached, and work through what you need to recover.
No one likes being caught unaware, and a plan that outlines who does what and when allows your organization to react efficiently, mitigate any lost revenue, and minimize the possibility of lost customers.
And you don't have to hire someone to create a plan for you. Create a plan with your team; pay an outside party to review it.
2.When did we last do a risk assessment? Can I get a copy of the risk assessment matrix?
Make sure your IT team is periodically assessing the risks to your business. There are many kinds of risk assessment, but the document you need to look at is called a Risk Assessment Matrix. It identifies all known threats, quantifies the risk and priority, and should even record the mitigation tool and/or process.
3. Who does Penetration Testing (Pentest) for us?
Pentests, often confused with "vulnerability scans", "compliance audits" or "security assessments", stand apart from these efforts in a few critical ways. This article from Forbes provides a pretty good overview.
They are typically not expensive and will certainly either boost your confidence or light a fire under your team.
4. Which data is protected by encryption policies?
Using encryption to protect sensitive data is recommended in many situations and, depending on your industry, may actually be required. Sensitive data is any information that, if stolen, could damages you, someone else, or your company. Examples include social security numbers, credit card numbers, health records (worth $60 each on the black market!), and financial aid data. Social Security Numbers, student transcripts, financial aid information, and health records are federally protected under laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
And don't forget, with the explosion of mobile devices, data may need to be secured there too!
5. What are our sign-on, access, and authentication policies? Do we have policies to thwart insider breaches? How do we handle anti-spam, anti-malware, and anti-virus? What do we have to protect our mobile devices?
The average employee has 3.2 devices, and all of these can fall out of sync with patches and security updates every time they exit your network. Even devices that are not connected to the internet can be used by attackers who have already gained internal access and are hunting for internal jump points or victims. If your team plans to access your cloud from their mobile devices, be sure to ask your cloud provider if they are capable of remediating these risks by offering antivirus, anti-spam and anti-malware to protect hosted systems from external threats.
Policies and processes can be very powerful when used appropriately. Use of VPN, sign-on policies, and group policy definitions are among a long list of things that seem to obvious to mention. However, many small to medium businesses have policies that haven't been reviewed in 10 or more years.
6. Do we have a documented (and tested) backup and recovery plan?
This one shouldn't need much explanation… and we're not talking about file recovery.
Most companies, when asked, will say they have a backup plan. But, if you haven't tested a recovery from your backup, you don't have anything. And if you haven't heard RTO, RTP, and MTTR in a while, it's time to revisit the plan. If you've never heard of these acronyms, you have your work cut out for you.
7. (For Cloud/Managed Services,) how well do the providers security policies match our own?
Most Cloud providers should have a more robust security program in place than small and medium sized businesses can afford to build and maintain themselves, so those Cloud offerings from your vendor should look more attractive if you haven't factored it into the cost.
Whoever is hosting your applications and data IS an extension of your IT staff, and that means they handle security too. Askw hat skills your cloud provideer's team has, and if you see gaps, work with your provider to adjust their service-level agreement. Don't be afraid to ask them to take trainings where necessary.
Be sure to ask what will happen if your cloud provider's data center is the breached. NO ONE is impervious to attack. Whitehouse.gov is the most breached site in the world. Always consider Plan B.
8.How will my business be protected from cyber-attacks? And what's Ransomware? Or Botnets?
Distributed Denial of Service attacks, or DDoS attacks, are show stoppers for businesses that rely on the internet for day-to-day operations (yes, even your website and email), and these attacks target small and midsized businesses more than the media will tell you.
Ransomware is the Hack-du-Jour. It involves hackers who infiltrate and lock up a computer, and require payment to unlock it. As of today, 4.1% of the US population has been hit with Ransomware and 50% of those hit paid the ransom.
Google "Botnet." There's too much to cover here. Suffice it to say the best any of us can do is build a system that notifies as soon as possible so you can react.
In closing, the best any of us can do is build a system that notifies us as soon as possible so that we can react. Don't lose heart; your "industrial strength" products and services will prevent most threats. Our job is to reduce the impact of security threats to your business, not to prevent all threats.
Focus on #1 through #7, and #8 will happen, but you will be prepared enough to handle it.