Most CEOs or CFOs are probably not Cyber Security experts, but are entrusted to ensure the company runs efficiently and profitably. In today’s business IOT world, having a safe and secure network is a large part of keeping the business operational. This includes ensuring that all cyber related risks are minimized as much as the budget will allow. Cyber related issues that threaten the company’s income are scary for sure, but perhaps the most frightening aspect of keeping your network and data secure are the “unknowns” of IT.
With simple risk management strategies, thoughtful planning, and attention to trends in cyber security, a company that relies heavily on technology will have more control over problems that arise. In order to help with this, we have compiled a list of questions that keep us up at night. It may be worth having a conversation with your CISO and independent risk managers about them.
Backups are essential to any company that stores files on their network. Losing information can be detrimental, as inevitably, systems will crash. Most likely, your company already backs up their servers daily, however, how quickly can your entire system be restored from a backup if you lost access due to ransomware? Are your backups done offsite in case your main location is lost to a fire or flood? When was the last time a real restoration test was performed? Is the data on the staff’s PCs, laptops, or mobile devices backed up as well? Start with contingency plans for your most critical applications and business platforms and work down from there.
Cyber Security, nowadays, extends beyond virus protection. When was the last time a third party performed a penetration test to gauge the vulnerabilities of your system? Does the company provide awareness training to employees to teach them how to identify and report threats or suspicious activity? Has your IT staff performed a security audit to ensure staff have the appropriate access to files, databases or systems? Is the company encrypting data and emails? Are the systems and computers utilized by remote\tele-commuting employees secure?
Disaster Recovery Plan\Business Continuity Plan
Unfortunately, Murphy’s Law is a reality when it comes to IT systems. If your company already has a Disaster Recovery Plan, now may be a good time to revise it. When was the last time the company’s plan was updated? Has your company workshopped or tested the plan to ensure it actually works? Having a written plan is a great first step, but testing that plan to make sure your company can remain operational during an emergency is critical.
Automated IT Processes
You may have spent a lot of time and money on ensuring that certain IT processes, like backups and scans are automated in order to streamline production as much as possible. However, keep in mind that these “set it and forget it” processes also pose a risk if they aren’t periodically checked and tested. How often are these processes and programs tested and updated?
The fast-changing tech world can be daunting to most people. With a dizzying array of new devices, new programs, and new security methods coming out every year, it can be very difficult to determine which ones are best for your company. What new technologies are available that would benefit the company? Is the cost of upgrading worth it for your company?
“If it ain’t broke, don’t fix it” isn’t the best motto to live by with IT as older applications and device often are not patched which may lead to wide open vulnerabilities (i.e. Windows 7 end of life)
C-Suite employees should be devoting time to regular (monthly, or quarterly) meetings with their CIO or CISO or Cyber Risk Advisor about the questions that keep them up at night as IT staff may become bogged down by the details and have difficulty visualizing the bigger picture.