[BreachExchange] Cyber security is more about you than technology

[Audrey McNeil]

http://www.grbj.com/blogs/9-small-business-startups/post/84632-cyber-security-is-more-about-you-than-technology

Congratulations, you are now the key to something. You are absolutely
essential — mission critical. Without you, it will fail. What am I talking
about?

I’m talking about the level of cyber-security you practice and benefit
from. Regardless of the amount of technology you implement to protect your
business and the amount of expertise you hire, the human element
maliciously or ignorantly can undo so much of those measures.

There is no denying that an abundance of tools and tactics are available
that take “must have” precautions to protect our systems – either from
external malice or internal human error. Things like anti-virus/malware
tools, firewalls, complex passwords, VPNs and backups do provide a baseline
level of security and can protect us from ourselves.

But make no mistake, any of these measures — which generally comprise what
most small businesses have put in place — will likely not protect you from
an employee clicking on a link in an e-mail that delivers Cryptolocker to
your system. Cryptolocker, by the way, is a form of malware that
essentially commandeers your data and holds it ransom pending your payoff
to the author for restoring your data. Good cyber behavior through
education of potential threats is absolutely essential to support your
technology measures.

Now look beyond just the use of technology to the physical aspect of cyber
security. None of the common measures mentioned above are likely to protect
your company from the liability of an employee copying sensitive data to an
external hard drive and using it outside your business for personal gain.
Just like having locks on a door to keep out unwanted visitors, your
business data is beholden to good physical security measures to manage
around behavior.

Another area where behavior affects security is in the ever-blurring lines
between business and personal use of social media. Social media is
increasingly a part of the online presence of businesses, and how they
interact with their marketplace and customers.

Social media invites more direct contact with people digitally and
therefore has its own set of things to be mindful of from a security
standpoint. The person responsible for your firm’s Facebook account can,
with a few taps of their finger on their phone app, greatly influence what
people see (and think) about your company’s online presence. Same thing
goes for Twitter.

Here are some practical steps you can carry out in short order to further
protect your business from a cyber-security breach.

- Have an Acceptable Use Policy. They are all over the Internet as free
downloads. One example ishere. While a piece of paper does not
automatically prevent behavior, it does provide you necessary legal
leverage when behavior creates liability.
- Continually educate your employees. There are an abundance of resources
available. Specifically, the Michigan Small Business Development Center has
created a helpful site along with self-assessments and training around
cyber security.
- Have measures in place from a physical security aspect — from the most
simple of locks on doors that should have them, to some level of auditing
to ensure your data cannot physically leave your premises (assuming you
want that). Most all competent IT service providers will be able to advise
you on measures that can be taken to protect your data.

Remember that how good of a cyber-citizen you and your employees are will
go a long way toward ensuring that your business does not suffer from a
cyber-security breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160226/235831f7/attachment.html>