5 Habits of Highly Successful CISOs

Curious about your company's security posture? See if you're following these five best practices.

Friday, May 29, 2015

By Deena Coffman

Businesses of all sizes—from international corporations to local coffee shops—must concern themselves with data privacy. Curious about your company’s security posture? See if you’re following these best practices that keep businesses secure.

1. Properly train employees. It’s important for businesses to provide training that includes instruction for newly hired employees. The program should make them aware of the company’s privacy policy, educate them on data security best practices, and ensure they know what to do and where to turn if they suspect a breach has occurred. It also should provide for refresher courses for existing staff. Reminder messages delivered via email, newsletter, posters and campaigns will increase employee compliance with your recommended privacy protocols while also keeping everyone up to date on the latest data security threats.

2.  Plan for a security incident. The worst time to discover your breach response plan isn’t up to par is when you’re in the middle of trying to respond to an actual breach. If your small business doesn’t make the effort to wring out the bumps in its security plan ahead of time, you risk delays in getting the situation handled. It’s also a recipe for bungling your public response to any security concerns, which can hurt your brand’s reputation for months or years to come. Every small business should have at least a simple framework in place that outlines the steps that must be taken if a data breach or other security event occurs.

3. Don’t expect IT to cover security. Information technology and information security provide two distinct, yet related functions. IT is responsible for finding technology tools that work well and that employees find useful. Security is responsible for data protection. As an analogy, IT is like the architect and builder of a house, and information security would be responsible for adding locks to doors, installing an alarm system, monitoring the alarm system, etc. The IT team should work alongside other departments and experts who specialize in information security and risk management. This will give your small business a holistic view on data privacy risks and the best strategies to mitigate them.

4. Test your security. Even when a small business puts in the work needed to implement a robust data privacy strategy, it’s surprising how few follow through with some real-world testing. Steps such as conducting penetration testing, vulnerability assessments and risk evaluations of your small business’s security measures can reveal critical vulnerabilities. You may discover there are otherwise reliable software platforms with out-of-date patches or updates that have now turned against you. Or it could be revealed that the settings for components within your network are creating unexpected security gaps. There’s almost no way to know about these issues without testing your company’s security measures.

5. Consider vendor security issues. Most small businesses have a handful of vendors that provide important support. If these vendors don’t have strong security practices and protocols in place, then the hard work your team is doing to protect its data can be quickly rendered ineffective.

Begin by discussing data privacy with existing vendors. Work with them to ensure there are no weaknesses where your systems connect, and confirm their employees have been trained in current security best practices. In addition, language in contracts and service agreements should require external partners to maintain appropriate security levels and to notify you immediately if they experience a breach.

Deena Coffman is chief executive officer of CyberScout Consulting.

© CyberScout, LLC. All Rights Reserved.
If you need identity theft assistance, call your provider organization to be put in touch with the CyberScout Resolution Center. More information for individual consumers.