Having a good cybersecurity strategy for your business is more than just installing some anti-virus software on all devices. Even as a small business, you need to be aware of the threats that can endanger your trade secrets, reputation, and finally, your bottom line.
All businesses, big or small, need to know about these 4 main threats:
- Customer support exploits
- Remote worker hacking
- Website application exploits
- Ransomware
The first threat doesn’t focus on the tech. Instead, it targets the people working. Without enough foresight, it’s simple to deceive the person answering emails with phishing scams and lies.
Further down the line, technical hacks become more frequent. That is, if the malicious entity knows where to look. Usually, your CRM or server services provider can also resolve these issues.
Finally, you need to look after your trade secrets, which can be a huge issue in a company that doesn’t manage critical data with care.
Here, I’ll try to explain the different aspects of a good cybersecurity strategy. Then, you can see if you’re implementing all these options or if you’re missing some.
What Is a Cybersecurity Strategy for Your Business?
The issue with cybersecurity leaks has been happening for more than a decade. Yet, businesses have just recently realized that being indifferent about their protection can become a huge issue. A cybersecurity strategy isn’t just about piling up security software everywhere.
The biggest change is from within. You’ll need to understand your company and the data you have. You also want to identify why and how someone would take that info from you.
A good cybersecurity strategy will always be tailor-made for your company. If it isn’t, it probably won’t include the crucial elements.. Because of the diversity in the industry, no strategy will be one size fits all.
It also needs to cover the basics, like data management challenges and employee policies, and the more complex aspects of cybersecurity when it comes to devices and networks.
In the end, your strategy will show what you want to do with the data you have and what contingencies you have in case you become a target.
Now, onto the meat of the issue. How to make a good cybersecurity strategy? I’ll go through the main issue and you’ll need to figure out how this applies to your business in particular.
How to Make a Cybersecurity Strategy for Your Business
The best way to approach building your cybersecurity strategy is to divide the issues into smaller parts. You can separate the strategy into 6 categories, so you can manage each effectively:
- Data Management
- Information Restrictions
- Downtime Management
- Privacy Policy
- Security Software
- Employee Training
If you try to approach the whole strategy without filling the outline first, you’ll tend to become overwhelmed. Then, you’ll focus on one of the issues, usually the one most familiar. Then, you’ll also neglect others.
Putting them in bite-size chunks makes the whole process faster and more effective, leaving fewer aspects to chance.
These steps depend on your company’s size and how much data you collect. Some businesses that work with a lot of data will need to focus on data management the most, while companies with a lot of employees will need to focus on training.
You can achieve each step internally or with outside consulting help. That said, note that outside experts won’t be as knowledgeable about the intricacies of your company. That’s why you should always make the first draft of what you want to happen internally.
We can make some cybersecurity predictions for 2022, but only you’ll know what can work with your company and your clients.
First, let’s start with the biggest part; data management. I’ll presume that you have a lot of data and the worst-case scenario. You can adapt it to your own needs after that.
1. Data Management, Dividing the Mundane from the Special
A good cybersecurity strategy needs you to recognize which information you need to give away and which you need to hide. That’s also the largest issue with good data management.
This is why we can divide the problem into 4 stages, with each needing increasing security and training.
Ideally, you want to give people all the resources they need to work, but you should protect special, proprietary info behind a few more walls.
Level 1: Public Data
Even when it comes to very public data, like addresses and contact information of other companies, you need to withhold that info. That is, unless you have express permission from that company. You don’t want a random lawsuit on your hands.
Because such information needs to be readily available to people working with such clients, you can’t protect it through passwords and tokens. Still, you can also place a policy that you can only disclose information about these clients through the email they’ve provided.
Make sure your clients know about this policy. Refer them to it every time they demand to break it. Trust me, you’ll encounter demands to go against the policy sooner or later.
Level 2: Operative Information
These are your product lines, distributor information, internal contacts, and customer emails. All the information you might find in a regular CRM is operative. You also need to have these on hand.
That said, you shouldn’t make these available online. You also need to store it in a secure server, including a cloud server. Lastly, reduce the number of people who can access customer information: only those who need to work with these customers will need the info.
You can also train your employees to never disclose information to third parties. These steps will generally remove 90% of the problems you can find here.
Level 3: Proprietary Information
How and where you make your product and your unique techniques and practices all fall into this sector. This is the type of information you need to hide and restrict.
If you need frequent access to this info for audits and testing, it’s best to implement good password management. You may also use third-party apps if necessary, but it’s even better to develop your password nomenclature and renewing process.
This way, only the data manager will know the passwords in advance, and they’ll provide new passwords to appropriate personnel when needed.
Level 4: Company Secrets
Last but not least, we mention the company secrets. They may be expansion plans, acquisition plans, angel investments, or merger plans. Mergers and acquisition plans are especially critical. You never want this info to leak, ever. Governments also consider that misuse is inside trading.
You can never be paranoid enough about such data. It should be hard to access even for the top brass of the company. The only way to go is through dedicated secure servers. You should also encrypt this info on them and make it accessible only through personalized USB sticks.
That way, even if a hack occurs, you’ll know where it came from. You’ll also remove the responsible parts from the company.
Cruel, but it is what it is. This is the most important data, and it should be available only to the most responsible people in the company.
Pro Tip
Keep the really important stuff out of reach, ideally offline. The most accessible data to you is also most accessible to hackers.
Next, let me show you the basics of implementing hierarchy in your cybersecurity strategy.
2. Information Restrictions, Ensuring a Good Hierarchy
This should sound like common sense, but it’s easy to get lost in large companies. That’s also the case when a turnaround of people are working. This is why information restriction is key. You should also do it under a policy, not ad hoc.
Additionally, the information hierarchy should match the company hierarchy exactly. For example, the CEO may not need some information, just like the customer support staff doesn’t require certain data.
You may also give the dedicated cybersecurity manager access to all the information. Still, they won’t have external access. They also can’t be contacted from outside of the company while they’re working. The same would be the case if you decide to hire external cybersecurity experts.
When you divide information correctly, you’ll also reduce the amount of training necessary. It’ll also be easier for the people sharing the information to know with whom they can disclose somewhere and where to escalate.
Need-to-Know Basis
Ideally, you only want to give people the info necessary to do their job correctly. When it comes to data, it’s also a fact that the small details and the big picture are different sets altogether.
Thankfully, some software can now produce reports from individual data points without disclosing the data points. That way, financial officers, legal teams, and similar divisions can work without needing customer information saved on their devices. In turn, that reduces liabilities.
Pro Tip
Ensure everyone only has the information they need to work. The newbie doesn’t need to have access to most of the information, but neither does the CEO. Make sure everyone knows why that’s important.
Next, let’s talk about what happens when the servers aren’t online. I can tell you how it should look, but you’ll have to figure out how your strategy will fit in.
3. Downtime Management, Getting Things Running Again
All companies have 2 types of downtime when it comes to data: planned and unplanned. In the best-case scenario, you need to be ready for both.
According to Statista, the average downtime after a ransomware cyberattack in the US has risen to 22 days. For a startup, this will be enough to put the lock on the door. If you have a good cybersecurity strategy, you would have a plan for this, so you can be back in business in less than 6 hours.
You can’t plan perfectly for attacks. That said, you can make a system for planned downtime that’ll make it look like nothing was offline ever at all.
Planned Downtime
Separate the website from the back end. Even if some apps need back-end information, keep them in different places, such as Google Cloud and AWS. That way, you can keep a front and collect information on the website side, even if the servers are down.
Because websites are light, they can also be copied and mirrored in multiple locations, just in case.
For the server, you’ll need to have two. One will be the main device, with the other serving as a backup and testing area. If the two use different connections and have separate master passwords, you can also just exchange them. That’ll remove visible downtime for the end-user.
Unplanned Downtime
This is harder to encompass, but a few scenarios make the vast majority of unplanned server downtime:
- Power issues
- Security issues
- Rollbacks
The keyword in the solutions for all three is redundancy. For redundancy in power issues, use a dedicated UPS or generator. This power supply will be able to jump in when the power grid fails.
For security issues and rollbacks, the second server you have for planned downtime is your best friend. You can even have a kill-switch on your server that will disable all external access when an attack happens, turning on the backup.
When you make a mistake in the update, you should have the former stable version on the backup. If you need to revert and fix some bugs, you just activate the backup and work until everything is fixed.
You may also get multiple issues at once, and nothing is unbreakable. For those, ensure that everyone knows their battlestation. That way, you can also be sure you’ll act quickly. Hopefully, the customer will never even know.
Pro Tip
The same server doesn’t need to be online all the time. The customers simply need to think that it is.
You may even use your Privacy Policy to state that your servers may be down for security reasons. Here, I can explain the technical and strategic side, but always make sure a legal expert has a final say on legal matters.
4. Privacy Policy, Clarifying the Roles
The problem with the Privacy Policy is that not everyone always reads it and understands it. Keep in mind that it’s a legal document currently necessary for all companies operating in most countries worldwide!
Necessary and beneficial as they might be, they’re also long and boring. You should also have a small preamble in a non-legal language in the beginning. That way, you can note the most important points.
To create a privacy policy, you’ll need to understand which data you have. You also need to know your customers’ privacy demands. Then, you can see where you can fulfill their wishes and where you’ll need to state that you aren’t liable.
Next, you need to explain that, in detail, to the people responsible under the policy. Everyone should know when they can help the user or customer, even when they have forgotten their password. You should also explain when they’ll need to file a ticket without disclosing anything.
In most cases, managers intimidate people so much about not doing their job. In turn, employees are willing to break the policy rather than have the customer escalate the issue. You also need to prevent that with good intra-company communication and written assurances.
Pro Tip
Make a non-legal bullet point list that cites in all caps what you will and what you won’t do with the data you collect. That way, most people will at least find it easily.
You can also hire people from the outside. You’ll certainly need legal counsel, but a few privacy experts with experience from companies similar to yours should help. This is similar to the software issue, which is the next important point.
5. Security Software, Recruiting Third Parties
These are all of your anti-virus, anti-spyware, TOR, and VPN programs that you might use to secure your devices. People are now working remotely, so you need this software to be widespread and available.
Here, you should divide all devices into 3 sectors:
- Main company devices
- Personal working computers for remote workers
- IoT devices
Because all of these have both different capabilities and different uses, you can’t protect them identically. Let’s tackle each separately:
1. Main Devices and Office Computers
Main devices are the easiest. You can reduce the amount of access they have to the internet and other parts of the system. For some devices, you can only allow the main app to be available.
Here, you can install software directly because you have direct access to each device, including computers, laptops, printers, etc. You can make them connect only through a VPN. Lastly, you can also have anti-virus and anti-spyware software that can’t be turned off.
2. Personal Devices and Remote Computers
On personal computers, the issue is different. Unless you’re willing to provide dedicated devices, you’ll need to provide cybersecurity sets. These will include anti-virus software and VPN credentials, and password tokens for the main server.
You should also have trackers that work while the person is clocking in. This makes billing easier, and it can even check if the apps you want are online and updated. It’s a bit of an intrusion, but a necessary step for cybersecurity.
Time trackers are far from perfect, and time-tracking in general has its flaws. Still, they’re a useful tool and will bring more good than harm.
3. Internet of Things and Smart Devices
Finally, reducing the number of IoT devices in a company is the best way to go. Yet, if that’s impossible, weave cybersecurity into the systems. You should also have them connected to an encrypted router or with their own cybersecurity.
Additionally, you should ensure that your remote workers aren’t using unsecured IoT devices when working. You need the VPN tunnel to cut out everything except the device needed.
Pro Tip
Use good, premium software. The price for this is less than what you might lose in the future.
Once you do all that, you still need to consider the human factor. I’m not sure anyone will ever have a foolproof plan on dealing with people, at least not in the tech industry, but we have to try at least.
6. Employee Training, Implementing Regular Awareness Drills
Last but not least, training people will be the key to your cybersecurity strategy. Software and devices come and go, and different types of working will be developed and popularized in the future. Yet, without competent employees, any business is just an idea.
Train for different scenarios. It’s best to make everyone aware of the risks and how anyone can be a victim.
Make regular awareness drills when it comes to cybersecurity and data management. Make sure that everyone is aware of what they should do, and then test if they’ll do that under pressure.
This approach may be stressful, but it’s much better to induce a bit of stress early on when the stakes are low than to have your people crack under pressure when it’s time to shine.
Pro Tip
Communicate. Good communication inside the company will go further than any new software.
Final Words
Creating a cybersecurity strategy isn’t simple, but it isn’t hard either. Break down what you need to protect and identify the dangers you might be facing. Then, also break away from some of the frequent ‘’smart talk’’ in the cybersecurity consulting industry. That way, you may be able to make your cybersecurity strategy in-house.
Be aware of the data you collect and break it down into non-critical and critical. Be aware of hackers and scammers that might use the data you collect. Plan for those attacks in particular.
Finally, bring in procedures and make sure everyone has the tools and knowledge on how to follow them. Internal procedures shouldn’t be obscure or particularly technical, as they’re a guideline of what someone should do in a particular situation.
Have more questions about cybersecurity strategy? Check out the FAQ and Resources below!
FAQ
Do you need a cybersecurity strategy?
Yes, always. Even in small companies, it’s best to plan what everyone will do if something goes wrong. As the company grows, one person can’t be aware of all the issues and devices, especially if they also need to run the company. To remove liabilities and ensure everyone knows how to act when an issue arises, you need to have a cybersecurity strategy in place.
What is a cybersecurity strategy?
A cybersecurity strategy is a set of procedures explaining how you’ll protect your company and client data from cyber-attacks, foreign and domestic. It isn’t exceptionally complex, but it includes the current situation, risks, requirements, and plans on how to deal with them in the future.
What are the parts of a good cybersecurity strategy?
To make a good cybersecurity strategy, you will need to deal with four aspects:
- Good data awareness and management
- Good company communication
- Frequent updates and checks
- Adequate awareness training and risk reassessment
If you can cover these four and practice good data governance regularly, you’ll know exactly where your company stands. You’ll also know where your strategy needs to focus to improve and adapt.
Do I need an expert to make my cybersecurity strategy?
Not necessarily. It’s good to have some know-how in the subject, but you can make a plan to protect your data if you can collect and process all of it. You can also merge cybersecurity with your IT strategy. Some external help will always bring a good perspective, but it isn’t crucial to a good strategy.
Why is a cybersecurity strategy important?
A cybersecurity strategy is important for 3 main reasons:
- Legal liability reasons (removing liability in some cases from the company)
- Better operations (people working are less stressed and respond faster if they know what to do)
- Secured reputation for the company
If mismanaged, each of the three can ruin even a company with a great product.
Resources
TechGenix: Cybersecurity in Public Companies
Find out why cybersecurity is such a problem with public companies in this article.
TechGenix: Winning Cybersecurity Teams
Discover how to create practical cybersecurity teams that will be ready for anything in this article.
TechGenix: Human Elements That Threaten Enterprise Data
Learn how the human element might be the biggest issue for cybersecurity in this article.
TechGenix: Prioritizing Cybersecurity
Find out how you can explain to the top brass the importance of cybersecurity in this article.
TechGenix: 2022 Cybersecurity Guide
Find out about the common cybersecurity threats and how to deal with them in this article.
