Low Risk, High Reward
You Can’t Risk It If You Want The Biscuit
Happy National Cyber Security Awareness Month! Wait…happy? We know, it sounds strange. We are happy because it is the one month out of the year that the whole country cares as much about cyber security as we do all year long. Since its inception in 2003, #NCSAM has fallen in October each year. At UberOps, we like to think that the U.S. Department of Homeland Security and the National Cyber Security Alliance chose October because there is nothing spookier than having your personally identifiable information (PII) compromised by malicious parties.
Are You Cyber Aware?
If you think you don’t have to worry about intrusion or breach because you consider yourself off the grid or your business isn’t in the technology industry, we hate to be the bearer of bad news, but the ones who want your data don’t discriminate. If you have ever had an email address, yes even your first ever — firstname.lastname@example.org, you are a target. If you have ever used a debit card to buy your morning pumpkin spice latte, you are a target. If your business sells things and accepts any form of payment other than cash, you and your trusting customers are all targets.
So what does it mean to be aware of cyber security? One can be aware of the idea of frequent oil changes and tire rotations, but will that prolong the life of your Subaru Baja? Survey says no. Using that awareness to chart a path, set realistic goals, and meet those goals is what is important.
Since cyber security can be overwhelming to get into, take comfort in the fact that no matter what phase your business is in, there is something you can do to improve your business’s cyber security plan, starting now.
Answer a few questions about your organization to see where you should start.
- Does your organization have an online e-commerce presence (as opposed to solely brick & mortar)?
- Do you have any physical servers or virtual servers on the cloud?
- Do your customers have the option to set up any kind of account (i.e. rewards, loyalty, or points program, saved shipping information, or anything that needs a username or password)?
- Do any of your customers’ rewards or account profiles (if applicable) link in any way to PII (financial or billing information, personal account recovery questions, phone number)?
If you answered “no” to all of these questions, then due to the nature of your business you can consider yourself at low risk to intrusions. If you answered “yes” to #1 or #2 or #3, you can consider yourself at medium risk to intrusions. Finally, if you answered “yes” to #4, you should consider yourself at high risk for an intrusion.
Being low-risk for a cyber intrusion does not exempt you from taking preventative measures against threats. Low-risk organizations can start with a few small, inexpensive steps that will increase your team’s alertness to threats without inconveniencing them, one example being a semi-annual security training. One of the easiest and most common ways attackers infiltrate your systems is via social engineering, or by manipulating your staff. By training your team not to stick foreign USB drives into their computers or let unauthorized people into secure areas of your store just because they say they know the owner will remove a large portion of your threats without costing much money or productivity time. Here are some good (free) webinars to get you started.
Medium-risk businesses should put certain measures in place in addition to those that low-risk companies employ. A measure that should be taken by companies who are fairly serious about stepping up their cyber security game is conducting a cyber security assessment. This self examination guided by one of the several agency standards will provide you with a good picture of your CS health as well as what things you can do to improve in weak areas like network configuration. The FFIEC, ISC CERT, and NIST have very comprehensive programs.
Finally, high-risk businesses, who have likely already performed the tasks mentioned above, should consider hiring an external organization to perform a full-blown cyber security audit. These certified third party CS health examiners will stop at nothing to find holes in your practices and tell you exactly how you fell short. Though excessive for some, this is something UberOps endures on a schedule. The big player in this arena is FISMA.
What Can You Do?
When it comes to your organization’s cyber security protection, the scariest thing you can do this Friday the 13th is nothing. Sign up to be a Cyber Security Champion through the National Cyber Security Alliance and see yourself on the list of this year’s champions. We hope to see your business on that list — share that and your other cyber security achievements with us on Twitter or in the comments below!