First Midwest BankFirst Midwest Bank logoArrow DownIcon of an arrow pointing downwardsArrow LeftIcon of an arrow pointing to the leftArrow RightIcon of an arrow pointing to the rightArrow UpIcon of an arrow pointing upwardsBank IconIcon of a bank buildingCheck IconIcon of a bank checkCheckmark IconIcon of a checkmarkCredit-Card IconIcon of a credit-cardFunds IconIcon of hands holding a bag of moneyAlert IconIcon of an exclaimation markIdea IconIcon of a bright light bulbKey IconIcon of a keyLock IconIcon of a padlockMail IconIcon of an envelopeMobile Banking IconIcon of a mobile phone with a dollar sign in a speech bubbleMoney in Home IconIcon of a dollar sign inside of a housePhone IconIcon of a phone handsetPlanning IconIcon of a compassReload IconIcon of two arrows pointing head to tail in a circleSearch IconIcon of a magnifying glassFacebook IconIcon of the Facebook logoLinkedIn IconIcon of the LinkedIn LogoXX Symbol, typically used to close a menu
Skip to nav Skip to content
FDIC-Insured - Backed by the full faith and credit of the U.S. Government

A cyber security program for small businesses

A quick internet search provides article after article detailing the rising risk of cyber-attacks against small businesses. The titles for these articles read like a warning and a nightmare for small businesses:

  • Cyber attacks on small businesses on the rise.
  • Warning: A wave of new viruses is targeting small businesses.
  • Huge rise in hack attacks as cyber-criminals target small businesses.

Small businesses have benefited greatly from the global presence provided through the internet; however, this connectivity comes with cost. If not properly secured, those same technologies can be used to steal or even hold hostage your data -customer, financial, proprietary and privacy data are all at risk.

Knowing Where To Start

When it comes to cybersecurity, the challenge for all small businesses is knowing where to start. Like any initiative, the tone for cybersecurity should start at the top.

Boards and executives are responsible for creating a culture of security within their organization. To drive this culture, they should develop a cybersecurity program - a formal structure that will guide the organization.

Think of a cybersecurity program like the sum of all things that enable a large cruise ship to travel safely across an ocean. The captain, crew, operating procedures, navigation charts and systems, communication systems, and even the ship's rudder are all critical to the success of a voyage. If implemented properly, a cybersecurity program will transport your organization safely across the hazardous waters of cyberspace.

Cybersecurity Governance

The first step in establishing a cybersecurity program is defining a formal governance structure. Governance for cybersecurity includes formal documentation outlining ownership, authorities, reporting lines, and roles and responsibilities. Also critical to governance is the development of formal policies and procedures that guide the IT activities of the organization and its service providers.

The following lists some of the key topics these policies and procedures should address:

  • Access management.
  • Change management.
  • Security training and awareness.
  • Vendor management.
  • Mobile device management.
  • Acceptable use.

The governance structure along with policies and procedures should be established one time and revisited annually or whenever the organization undergoes changes that significantly impact their IT environment.

Cybersecurity Planning and Monitoring

Once the appropriate governance has been established, the organization needs to establish a process for the ongoing planning and monitoring of cybersecurity. At least annually, the organization should undergo IT planning and management activities that document the following:

  • Update strategic plan.
  • Review and approve policies and procedures.
  • Conduct risk assessment.
  • Assess cybersecurity liability.
  • Evaluate IT outsourcing activities.
  • Develop budget.

The time and effort given to each of these activities should be commensurate with their relative risk to the organization. They could be as simple as a single meeting with the appropriate stakeholders to walk through these items.

The annual IT planning and management process should also include identification of the activities the organization plans to conduct in the coming year to monitor and evaluate the security of its IT environment. Consideration should be given to activities such as periodic IT audits, network vulnerability and penetration assessments and social engineering or phishing tests.

Note that cybersecurity experts can help organizations through the process of developing and maintaining a cybersecurity program that is tailored to their business environment. 

 

This article was written by Anders Erickson from Telegraph - Herald; Dubuque, Iowa and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

Subscribe for Insights

Subscribe