This abridged information is from my new book, The Ultimate Business Continuity Success Guide: How to Build Real-World Resilience and Unleash Exciting New Value Streams. Happily it is now Amazon’s #1 searched business continuity book. I hope you enjoy the chapter. and the book.
Business Continuity Tips, Techniques and Secrets
Cyber Security Best Practices for Business Survival and Business Continuity
In the ‘Cyber Security Threats and Vulnerabilities 101’ Chapter we discussed cyber security risks that can potentially impact your employees and the continuity of your operations. Although your Cyber Security and Information Technology departments must secure mobile and desktop devices and the data on them, the survival of your business can be put at risk if your organization is attacked. Successful cyber breaches and attacks can instantly become business continuity issues.
Unfortunately, I have witnessed organizations tighten up their desktop security but leave mobile and more recently, IOT device security wide open to the bad guys. People intent on doing harm, even with low or no-level technical skills, can easily get access to programs that can severely impact your organization.
In addition to desktop and mobile devices (phones, tablets…) the popularity of Internet of Things (IOT) devices takes risks to another level. There will be billions of IOT devices riding the Internet in the next few years. All kinds of sensors, cameras, motors… are being connected to the Internet. These devices can very much help our programs and I discuss amazing opportunities in the technology section of the book. I have connected sensors and alarms from trusted vendors to the Internet. These devices benefit employees and our ability to understand our environment in real-time. Unfortunately, IOT security is not the first concern for some vendors selling IOT devices. The last thing we want is rogue sensors and robots adding risk to our infrastructure. These devices can change the way we do business for the better, but we must implement the proper security controls.
Perhaps, your organization has all your device security and IOT controls in place. I hope you have robust cyber security policies. If you pick out even one or two tips from this chapter, it will be well worth the short read. Venturing beyond your immediate Business Resilience duties and making helpful security suggestions to IT and management will help you in many ways.
The security controls and practices described below are a starting point – not a comprehensive list. I tried to map them to the threats and vulnerabilities we discussed in the threats and vulnerabilities chapter. They are consistent with studies and guidance from NIST, FTC, FCC and DHS along with my experiences. Some of the information below originates and is used with permission of the GAO from their report – Report to Congressional Committees – Information Security, ‘Better Implementation of Controls for Mobile Devices Should Be Encouraged’.
General Security Best Practices – Mobile Phones, Laptops, Tablets and Desktops:
(This is not a comprehensive list. You should partner with your Cyber Security and Information Technology Experts to Implement a Holistic Information Security Program)
Tip – Partner with your IT and Cyber Security experts and analyze the vulnerabilities that can compromise your organization.
Tip – Advise employees of mobile and desktop best practices. You can use information in this chapter and the preceding ‘Cyber Threats and Vulnerabilities’ chapter in your in-house newsletter or in your in-house blog if you wish to.
Tip – Your Cyber Security and/or Information Technology experts must implement the latest security safeguards, anti-virus software, patches and timeouts. They must do it in a timely manner. No excuse for delaying this is acceptable!
Tip – A corporate policy, with teeth, must be in place making it a violation to save critical / sensitive / unencrypted data on laptop local drives or mobile devices.
Tip – As we discussed in the previous chapter on cyber vulnerabilities phishing is a rapidly growing problem. Create awareness with all employees that they should never click on links unless the know the source of the message.
Discuss doing a series of ethical phishing tests with your IT and cyber security experts. Most likely a large percentage of employees will click on an unknown link.
You can then follow-up with them and explain that clicking on such a link can enable a virus, worm or ransomware attack. It can also lead to criminals stealing the employee’s personal information. I believe as your series of ethical phishing tests take place the number of employees that click on links from an unknown source will significantly decrease.
Tip – USB thumb drives must be encrypted! They are able to store gigabytes of data and are too easy to lose. We have all read horror stories of sensitive data being stolen or lost and seriously impacting the survival of an organization. Do not let this happen to you.
Tip – Data must be encrypted at rest AND in-flight. Even with a policy in place, people will still copy data to their local drive, if it is available. Laptops have a way of getting stolen or lost (read the chapter ‘Your Laptop Has Legs…’). It is the loss of sensitive data that is the bigger risk than the loss of the hardware. Laptop hardware is relatively cheap and can easily be replaced. Losing sensitive data can cost your company many millions of dollars and the loss of executive jobs at the highest level of the organization.
Tip – Make sure any vendors that have access to your data are encrypting it both at rest AND in-flight.
The remainder of this chapter and an additional 1,000 Business Continuity Tips and Techniques in 112 chapters are available in the eBook and print book. I hope you enjoy! Marty