At its most basic level, a company is only as strong as its weakest password. But a company is also only as strong as its weakest partner or third party that has access to its data or systems. Therefore, IT departments and C-level management teams need to prioritize cybersecurity both for their own sake as well as that of the valued partners they conduct business with each day.
One of the biggest mistakes a well-intentioned IT or cybersecurity manager can make is failing to adequately test cybersecurity procedures already in place. “Fire drills” are an absolute must in cybersecurity. A company can purchase the best possible tools and technology, seek out needed expertise from consultants, and even create detailed documents outlining procedures for cyberattacks, but if they never practice, they are almost certainly subject to problems or blind spots. Powerful protections and efficient, effective response plans mandate that management, IT and all employees are continually involved in maintaining the best possible cybersecurity.
One of the most common issues plaguing companies is that incident response plans are treated as a “check the box” item that’s never actually put to the test. Instead, these vital plans must be treated with vigilance and ongoing review and practice. Here are some of the most basic questions that need to be asked:
- C-Level Management Team – Who works directly with your internal and external legal teams when a security incident is discovered or a ransomware attack is underway? What regulations are in play and who on the management team is ultimately responsible for addressing them in the midst of a suspected attack?
- IT – First, do the tools and services you currently rely upon have a regular cadence of updates? If so, are those updates verified, and by whom? Secondly, when was the last time the organization’s backups were tested for usefulness? Backups are only helpful if they’re actually able to serve as a backup. And third, does the organization have a designated manager who is responsible for regularly-scheduled, simulated attacks/breaches and conducting true practice runs for response plans?
- Employees – How much emphasis does the company place on cybersecurity training for all employees (and especially those who are high-value targets for cybercriminals)? Are employees aware and cognizant of social engineering techniques utilized by cybercriminals? Are there simple steps that can be instituted to prevent specific financial or information losses? And though it may seem too obvious to mention, a required password changing schedule is a must. Do these regular password changes happen at every level of the organization?
Through stricter cybersecurity insurance requirements that mandate certain steps and tools, companies often procure and own powerful protections they otherwise may not have deployed. But these requirements to obtain insurance need to be accompanied by internal processes that ensure organizations are truly prepared and ready for cyber incidents. Having the proper policies and documenting the frequency of their tests and/or deployments goes a long way toward inspiring confidence that the organization is diligently prepared.
Violet Sullivan, Esq. CIPP/US currently serves as vice president of client engagement at New York-based Redpoint Cybersecurity (www.redpointcyber.com).