How to create a long-term security plan for your business
Some business leaders make the mistake of only thinking about security after experiencing a direct threat to safety. However, the ideal approach is to have a long-term security plan for your business. You can then adapt that framework to address emerging needs that arise. Here are some actionable tips for getting started.
List your assets and their associated threats
Begin by figuring out what to secure. Create a list to make it easier to spot any unaddressed valuable items in the business. For example, physical assets could include a 3D printer and all your office’s computers. However, it’s also crucial to ponder the risks with your digital assets. That part of the list could encompass your customer data, website and all documents related to current or past projects. Don’t forget that your workforce represents human assets that need protection.
After making the list, create groups of potential threats for each asset. For example, someone could steal the 3D printer or infect it with malware. A disgruntled former employee might storm into your building and put lives at risk if you don’t safeguard against that possibility.
After looking at your assets and the related risks, it’ll be easier to spot where vulnerabilities exist and where you’re already doing well. You may also wish to hire a professional to audit the security situation at your company. The fresh perspective of an outside expert could flag issues that would otherwise get overlooked.
Build a strong security culture
A long-term security plan should also include a cultural aspect. The ideal scenario is one where everyone realizes the role they play in securing a physical building or its online infrastructure from threats. Security is not the sole responsibility of one team or executive. The decisions made by individuals create a collective culture of safety.
It’s best to help people have that mindset as soon as they arrive at the company. Does your organization provide security training to new employees? If not, it’s time to start. Another worthwhile technique is to emphasize that keeping an organization secure is not necessarily difficult.
For example, the United States government has a Stop Think Connect campaign that gives easy suggestions for better cybersecurity. They include keeping antivirus software updated and remaining wary of communications that encourage immediate action. Consider posting a regular assortment of physical and cybersecurity tips in places like the break room and restrooms. Help dispel the belief that security is an overwhelming topic. Let people see that participating in a security culture can bring enjoyment and a sense of ownership.
Implement a data backup process
Many decision-makers assume that security threats won’t happen in their organizations. That’s a prevalent mindset from people at smaller organizations or those storing a comparatively tiny amount of data. However, cybercriminals love wreaking havoc, and they often do it by targeting organizations that you wouldn’t expect.
For example, every respondent to a yearly study of law firms reported security incidents in 2020. The data also showed a worrisome rise in ransomware. The main problem with ransomware is that it restricts a victim’s data access. Paying the cybercriminal’s ransom isn’t a guaranteed fix for the problem, either. Employee errors can result in data loss, too. A tired or frazzled worker could delete an entire folder of crucial information with one wrong keystroke or mouse click.
Figuring out an effective data backup process is an excellent way to keep operations relatively unaffected after ransomware attacks. Backing up data also protects against catastrophes due to error. Keep your physical data in mind, too. Storing originals in fire and waterproof cabinets is a good start. It may also be worthwhile to use document storage services after creating digital copies of frequently accessed content. Those companies offer plans where clients can opt for climate-controlled, guarded facilities.
Investigate access control measures
A thorough long-term security plan includes physical and online access control. Many people can now work from anywhere. However, you could still use a system to restrict access to digital resources or portals based on a person’s position or duties. Many options exist that let you revoke or grant privileges from a cloud interface. Then, it’s easy to stay on top of matters as people leave the company or get promoted.
Traditional measures for physical access control range from keypads to card readers. However, the COVID-19 pandemic caused people to strongly consider methods that reduce contact. For example, some people can use their smartphones for physical access or wave their hands across touchless sensors. Facial recognition options are also on the market. Your employees are probably already familiar with those since many smartphones use similar technology.
Ensure that your security plan incorporates good password hygiene, too. Remind people that passwords should be hard for others to guess. One study of passwords found on the dark web revealed that 59% of them included a person’s name or the birthday of someone in the user’s family. Then, a third featured a pet’s name. Many of those details are likely easy to determine with a little research.
Address employee training needs with the plan
Security experts often assert that employees are often the weakest link when it comes to keeping an organization safe. That’s not necessarily because they intend to do something malicious. Some people simply don’t realize seemingly innocent activities can pose risks. For example, a person might share their password with a close colleague to prevent that person from getting behind on work until a help desk staff member arrives to assist with a login reset.
The topic of social engineering deals with working with human psychology to gain access to physical or online resources. A criminal could orchestrate one over the phone by posing as an auditor or someone else who demands urgent attention and action. They could also don a uniform and ask someone to hold the door for them. In that instance, they can pretend to be someone there to fix equipment. In reality, they’re there to scope out the premises, or worse.
Incorporate employee training into your security plan so that workers are well-equipped to spot the obvious and less-apparent signs of someone posing dangers to the organization. Aim to have the training begin during a worker’s onboarding periods and continue regularly from there. When employees get periodic education about the latest security techniques and tips, you’ll be taking a significant step into creating and nurturing the security culture mentioned earlier.
Security plans are ongoing efforts
Besides applying the suggestions here, remember that your security plan should evolve as needs change. Even when you get to the point where it seems finished, review the document at least every year to verify that it’s still relevant.
It’s also useful to get feedback from people at various levels of the organization. They likely have input about things to include in the security plan that hadn’t crossed your mind but are well worth including.
Eleanor Hecks is editor-in-chief at Designerly Magazine. She was the creative director at a digital marketing agency before becoming a full-time freelance designer. Eleanor lives in Philly with her husband and pup, Bear.