Ever heard the saying “if you fail to plan then you plan to fail”? This is just as true in security as it is in business, and the lack of a clear plan to protect your business from cyber risks usually results in no real protection at all.
An information or cyber security plan is a very simple and free tool that can have a profound impact on how well your business is protected from cyber threats. A security plan is a short document, often no longer that a few pages, that outlines:
- Your overall security goals and expectations
- What you have in your business that you feel is most in need of protection. In most businesses this can include customer information, but it could also be employee and partner information, intellectual property, access and security information, and of course, your website
- What kind of protection you have in place or expect to have in place
- Who’s responsible for security (hint: it’s everybody’s responsibility)
- And what happens if security fails
So here’s how you go about creating a plan:
- The easiest way to create a security plan is to create a simple checklist of everything you believe would be of value to a thief or hacker.
- Write down all the current security measures you have in place to protect each “asset.” For example, if website is on your list, current security measures could include allowing only one person to access your website and make changes, and requiring website passwords to be changed at least every twelve weeks.
- Write down all the security measures you should or would like to add. Going back to the example of website security, you might want to add extra layers of authentication, website scanning, or an SSL certificate.
- Then continue the process throughout your business – what you have that’s valuable and vulnerable, what security you have in place, and what security measure you plan to add.
Next comes your list of security rules, and this could be the most important part of the plan. Your rules remind you and tell others what your minimum security expectations are and how employees must interact with vulnerable assets.
That includes rules for:
- Handling and protecting sensitive information
- Use of laptops, phones, and other devices, and what can be stored on them
- Network security
- Website access
- Social media
- Security outside the office
- Disposing of sensitive information
The bigger your business, the bigger the list. And the more complicated your business and security challenges become, the more you might want to think about getting some professional help.
And some final tips:
- Live the plan. No sense in creating a security plan if it sits idly on a shelf or computer.
- Share it regularly with everyone who has a role to play in security. That includes employees and maybe even partners.
- Review and update it regularly so that it always takes into account changes in your business, the threat environment, and even regulations.
- Protect it. While sharing your plan with the right people is good, sharing it with the wrong people is like telling them where you hide your front door key.
- If you need help creating a security plan, the Federal Communications Commission has a great and free online tool.
To learn more about how the SiteLock suite of cyber security solutions fit into your security plan give us a call at 855.378.6200 or visit us online.