Creating a cyber security plan for your business

Cyber crime is the up and coming problem for all small and medium business and not for profit organisations across the world. There is no easy or inexpensive way to protect your organisation from cyber crime but there are alternatives to the expensive options.

A cyber security plan can be an expensive endeavour and that is normally what stops an organisation from creating one but you need to start somewhere.

Here is a basic start!

Become paranoid

On the Internet everyone is after you. They are after your cash and they are after information about you, your staff and your clients. The more information they gather the more targeted an attack can become. The more targeted an attack the better the chance that they can steal those business ideas or your money.

Assess your risks

Look at what can go wrong within your business and make sure that you have plans in place to negate those problems. One of the benefits of small and medium business is their agility, but agility needs to be tempered with capability and perception. The three areas of security – availability, confidentiality and integrity are what drives cyber security. For large corporations the driving force is confidentiality but for a small and medium business it is availability. Small and medium business have to walk a thin line between those two area.

Your risk assessment will define what areas in your business need greater availability and what areas need better confidentiality. Once that has been worked out you can then make sure your data integrity is set to the desired level.

Create policies

A policy is a statement from the managerial area of the business. They are used to define and control your staff access to certain components of the business.

Most businesses need policies – an Internet policy, a social media policy, and email policy – are the most basic and are used to protect the business. For instance an Internet policy can define the use of the Internet – only for business during business hours, not to be used to download applications, not to be used with peer 2 peer applications, only to be used for business purposes. Your Internet policy can be supported and enforced with the right technology – your firewall.

Use best practice

Best practice is an ICT catch all for installing, configuring and supporting any component of the ICT infrastructure. It is used to ensure that the use of a device is at the best level it can be. Best practice is used to deploy systems and ensure that the business environment is the best it can be.

Best practice gives you a stable and predictable starting point for the technology in your business. It defines the system configuration for a device so that there is nothing that can go wrong with it.

Create an audit policy

Just like best practice the monitoring and management of your business relies of setting the correct thresholds for the system. Whether it is all failures or success and failure for access to files and folders or system resources is your call. A audit policy will set the internal boundaries of your business, who can access what, how they access it and what information that have access to. If someone is not allowed to access a resource then the attempted access is written to a file for later analysis or an alert is generated for immediate action.

For business critical and intellectual property data is is recommended that both success and failure is managed. This way you can track not only the failures but also keep track of trusted people within the business. You never know when someone will be looking for a new job.

Report attacks

Does anyone actually know where you can report a cyber crime? If you are in a position where you have been deliberately targeted by either an inside or outside attacker what should you do about it.

So the following problems should be reported to the local police as soon as possible:

  • computer intrusion – direct hacking,
  • unauthorised destruction or modification of data,
  • denial of service attacks (DOS) and
  • distributed denial of service attacks (DDOS).

There are also simple rules to follow that can be incorporated into a policy – do not turn off the computer, backup up all log files, disconnect the attacked or compromised system from the network, shut down all no essential services.

Although not as critical but just as essential if something gets past your anti virus, anti-malware, anti-spyware then you need to report it to your supplier. Most end point protection systems have a “send to us” button for you to use for just such an occasion.

Implement the plan

Once you have a plan for your cybersecurity you have to implement the plan. The implementation can be an instant initiation – on Monday this is how it is all going to work, or it can be bought in over time. You can use a framework to tighten up your business security slowly and get your protection to the desired level. Either way do not hesitate, implement the systems and protection as fast as your business and finances will allow.

Cybersecurity protection is common sense followed by persistence.

protect your clients information

This is critical for your business survival. At no time is a lapse in security allowed to compromise your clients information. In addition, payment information should be kept separate to other information with a higher level of protection. Furthermore, the three most important components of credit card information (name, card number and expiry date) should not be stored together. The security code on the back of the card should never be stored electronically.

Train your people.

Finally you need to train your staff, train them in your business requirements, train them to use complicated passwords, train them to watch for problems and most of all train them so that their focus is the protection of your business, their information and most importantly your clients information.

Your people will make and break your business through their ideas and the business culture. Protect and support them and they will look after your business like it is their own.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.