Today Marriott reported one of the largest data breaches in history in their Starwood properties reservation system that may have exposed personal information of up to 500 million guests. The hacked information included guest names, passport information, credit card numbers, addresses, and travel details. This is a lot of sensitive private data.
There were other recent large company cyber attacks. For example, on November 9th, Dell says it detected a data breach incident in which the attackers accessed customer names, email addresses and passwords and on October 31st, Dunkin Donuts reported that customer names, email addresses and DD Perks accounts were accessed by the cyber criminals.
Data breaches are on the increase and too often making headline news.
The increasing frequency, sophistication, and ever-changing nature of cyber intrusions and data breaches continually challenge an organizations’ information technology, security and risk management teams and cause major business disruptions, public release of confidential information, reputational damage, and other negative financial and operational impacts.
Every business, no matter how large or small, needs to develop a cybersecurity program to counteract the endless stream of cyber threats. No business is too small to be a target, and as reported in today’s news about Marriott, no business is too big to be unaffected by a cyber attack.
Small businesses are also susceptible to data breaches because they often lack the technical resources or in-house IT staff to prevent attacks on their networks and systems.
Creating an effective cybersecurity program can address many of the cyber threats faced by businesses. Here are some recommendations in creating a cybersecurity program:
1) Assess Your Data: Conduct a Thorough Audit of Your Cybersecurity Assets and Policies
Before you can start creating a cybersecurity program, you first need to know what assets need protection.
Audits help organizations to focus on the critical security and compliance risks that impact the bottom line of their operations. Identify where data resides and where the breach vulnerabilities are to protect your business’ information assets.
In addition to auditing your cybersecurity assets, it’s important to review your company’s cybersecurity policies and make adjustments as needed. If your business does not have cybersecurity policies, they need to be developed and employees trained on cybersecurity do’s and don’ts.
2) Implement Your Cybersecurity Program
After you assess your data, you need to develop and implement the cybersecurity program and you will need personnel to implement the plan. This is where building your IT security team becomes necessary.
However, building a team of cybersecurity experts can be time consuming and expensive. An experienced security pro’s annual salary often exceeds $100k+ per year and you may need multiple security personnel to tackle the threats that your business faces 24/7.
When building your IT security team, consider the following:
How Large Does My IT Security Team Have to Be? Not every business needs a large staff of cybersecurity experts. Consider both your organization’s size and what industry specific data privacy regulations need to be followed, such as GDPR, CCPA, HIPAA or 23 NYCRR 500.
What Specific Skills Does My Team Require? Not all cybersecurity experts are created equal. There are a few different specializations within the cybersecurity industry, and you’ll want to make sure that the personnel you add to your security team have the right skills to match your needs.
Do You Need In-House Staff or Can You Hire Outside Consultants? If you have a small business, often your IT systems are outsourced to a managed services provider. Are these systems secure? Having a third party assess the data can find system vulnerabilities and minimize your data security and compliance risks.
Rather than building your team out internally, you can use a managed security provider to get the services of a full-sized team for a fraction of the cost of hiring internally. Plus, if there are any gaps or omissions in your security program development, an experienced cybersecurity services provider can usually identify and address the risks.
3) Monitor Your Cybersecurity Program
After your cybersecurity program is implemented, your IT security team needs to continually monitor the systems. Cyber criminals are endlessly creating new attack methods and tools to try and compromise your business’ data.
So, your cybersecurity program should never be considered a one-time solution. You should conduct annual audits, or more, and continuously revisit your cybersecurity program and policies. It is important to make modifications that take into account the latest threats and attack strategies and the continuous updates in data privacy regulation requirements. Your cybersecurity program plan will be a “living document” that changes and adjusts as needed.
Cybersecurity is a complex and on-going issue for companies of all sizes – large and SMB are all vulnerable to data breaches.
Christine Baird, CEO of Clarus Tech Partners, has a team of IT, legal, cybersecurity, and compliance experts who advise and implement data security and privacy solutions.