“Winning is not a sometime thing, it is an all the time thing. You don’t do things right once in a while…you do them right all the time.” – Vince Lombardi
As you think about information security for your business, the quote by Lombardi has particular relevance (sorry Vikings fans, but no Dennis Green or Bud Grant quotes fit).
Security is an IT process that is never “done.” Every new technology adopted brings with it new security issues. Networks have to be constantly monitored. Anything connected to a network and the Internet (such as copiers) must be included in your security infrastructure. Protection against evolving ransomware threats continues to evolve. There's much more around security, all oriented toward preventing hackers from breaching your network and stealing your data or locking you out of it.
Every company's security plan must include IT – securing networks, patch management, proactive monitoring, etc.
However, companies that focus only on IT security are only partially secure – you can't forget employees (employee ignorance or negligence accounts for a substantial portion of security breaches – and that doesn't include less-frequent malicious insider breaches from disgruntled or criminally-inclined employees). That's why security must start at the top of a business.
Great security starts with great leadership. If staff don't see company leadership taking cybersecurity seriously, why should they?
Information security isn't just an IT challenge. For a business to be as secure as possible, the importance of cybersecurity and keeping data and information protected must be woven throughout the organization – from the owner or president down to the freshest intern.
The first step is the most obvious one – understand that cybersecurity is important. Hackers will target anyone – especially businesses that don't pay attention to their network security. Small size is no protection.
Here are a few quick tips to get you started on the journey to creating a cybersecurity culture in your office:
Acknowledge and act on the fact that all businesses need to have a strategy for security.
Create a security policy. If you don't have a policy for security, you won't be able to hold employees accountable.
Lead by example. Emphasis the importance of security to the business throughout the year in a sustained way. Don't just mention it off-hand now and then.
Train employees. Reinforce the importance of security by taking the time to train employees multiple times per year – sessions reiterating how to avoid phishing attacks (that would be those Nigerian prince-type emails), password best practices, physical security, etc.
The most important thing to remember is that you don't have to be good to start, but to be good you have to get started!
Of course, you need a solid IT foundation for cybersecurity. Consider a Coordinated IT assessment – we'll review your cybersecurity risk and can help you maintain a secure business with our managed network services.