CYBERSECURITY & IT CONSULTING SERVICES
Living and working in a connected environment has greatly enhanced business efficiency and accelerated communication. But it has also opened the door to lurking threats that could play havoc with your business unless you are prepared. Primary among these hazards are attacks against your company’s infrastructure, including your people, computers, mobile devices, and networks.
Know the Facts
- 40% of companies that are victimized by data breaches are small or medium size businesses
- 70% of data breaches in SMBs are caused by internal vulnerabilities
- Up to 70% of U.S. companies have paid a ransom to recover data
- 50% of small businesses that experience a data breach fail within six months
- In 2018 the number of unique cyberattack incidents increased by 32% over the previous year
- 86% of SMBs report their ability to manage security risks is “not highly effective”
Protecting your networks and information has become even more critical now that so many organizations have dispersed their workforce and are sharing data files across wider distances, frequently over unprotected wireless networks. All the more reason to invest the time and money in a robust approach to protecting your business.
Gray, Gray & Gray can help by giving you the resources and guidance necessary to do more to protect your networks and data. We give you the power to build a shield around your company’s data. From system and process evaluation, to designing and deploying protective mechanisms, to responding to attempted breaches, we stand ready to defend your business against cyber criminals.
A well-prepared business is one that takes steps to prevent problems but also has concrete plans in place to manage and recover from disasters that cannot be anticipated or avoided. There are four key steps to take in developing your cybersecurity and IT strategy:
- Business impact assessment
- Risk assessment and avoidance
- Disaster recovery plan
- Business continuity plan
Let’s examine each of these aspects individually.
It is important to identify which parts of your business might be most affected by a cyberattack, natural disaster, fire or other catastrophe. We focus on assets that are both mission critical and irreplaceable. Using a quantitative analysis, we prioritize those risks which might damage or destroy those assets and disrupt your business.
For example, inventory lost in a fire can be replaced and the financial loss covered by insurance. But customer records going back many years that are compromised by a cyber hacker may be tainted and unrecoverable. Some risks cannot be anticipated (i.e. coronavirus or a natural disaster), while others are more likely to occur (i.e. everyone is susceptible to cyberattack).
Once you have identified and prioritized the risks facing your operations, you can take steps to minimize their occurrence and mitigate damage should they become unavoidable. Physical threats to facilities, equipment and inventory can be addressed by proven defenses such as fire suppression and control systems, perimeter security, and routine maintenance programs.
Less obvious, but perhaps more critical to ongoing operations, are threats to business systems: computers, servers, mobile devices, networks and data storage files. A separate inventory and risk assessment will help to identify glaring weaknesses in your cyber defense posture, which can be addressed in the development of a Written Information Security Plan (WISP), a document which is mandated by law in many states.
Your WISP should include steps your company is taking to identify and address threats to stored information and data and the systems on which it resides. Investments in secure hard drives and uninterruptible power supplies are simple ways to avoid a potential disaster.
Your cybersecurity measures should include advanced email and phishing protection, data encryption and secure archiving, dark web scanning and monitoring, and – perhaps most important – cyber security training for all employees, who are typically the weakest link in the cyber defense chain.
This is the “immediate response” document that provides a step-by-step game plan for reacting to a catastrophic event. Once the “fires are out” and everyone’s safety is assured, what do you do next? Simple checklists can help guide company leadership in stabilizing operations and putting things back on track as quickly and efficiently as possible.
It starts with something as simple as a company contact list, with names, phone numbers and email addresses of critical personnel who should be contacted in the event of an emergency. Each member of the management team should be assigned a recovery role and trained in how to execute it.
Other checklists should cover critical steps such as data recovery procedures, incident reporting requirements, equipment replacement lists, customer communications processes, and mitigation of damage to key assets. Time is money, so the plan should include a recovery time objective (RTO) to make repairs, restore systems and minimize downtime so you can resume operations as soon as possible.
Your business continuity plan should be a written document that details how you will recover after a disaster occurs. For your company’s data and information this must include secure backup and archiving of critical files on at least a daily basis. The backup must be automatic, digital and include off-site storage so that you can quickly reestablish access to files. This might require an upgrade to your computing capacity and bandwidth.
Cloud storage of data is currently the most reliable way to secure data while providing quick access when required. But make sure the cloud environment you choose is the right one for your business and your needs, that it is truly secure, and that it will be readily scalable when your company’s growth necessitates expansion.
Personnel are also an important part of business continuity. Everyone should have a role to play and, wherever possible, should be cross trained in other aspects of the business to ensure a backup is available. Knowledge transfer and multi-role training can also help smooth transitions when an employee is promoted or leaves the company and must be replaced.
Expecting the unexpected is the hallmark of a visionary business leader. But it is even more important to plan ahead in anticipation of potential dangers and disasters. Taking steps to avoid threats and vulnerabilities is essential, but so is having a “moving forward” plan to recover from disruption and restore operations as efficiently as possible.
Our cybersecurity risk management services are comprehensive, thorough, and continually updated to meet emerging threats. Each cybersecurity program we create is designed to comply with state and federal data security laws by using current best practices to protect your information.
Testing systems and devices to ensure secure configurations by simulating actual attacks.
Review of network configuration and anti-virus and anti-spyware deployment. Includes security evaluation of wireless networks.
Testing of the physical security and controls in your environment to ensure the security of your personnel and systems.
Controlled and documented testing of your staff to determine if they are adequately trained to identify common attack methods such as phishing emails. Includes a dedicated Learning Management System (LMS) to track staff participation and identify potential clickers, periodic phish testing, and remediation. We also offer digital security workshops to help raise the level of awareness of personal responsibility in preventing cyberattacks, phishing and malware intrusions.
Identify, isolate, remediate and investigate an incident or threat.
In most states privacy requirements require the safeguarding of personal information about any resident of the state, including your customers, employees and any vendor whose information may be stored in your system. This means that every business in that state that maintains such data must have a WISP in place to protect that information. A WISP spells out the administrative, technical and physical safeguards by which an organization protects the privacy of the personally identifiable information it stores. When regulators or prosecutors investigate a breach, having a WISP in place demonstrates a commitment to meeting security requirements.
Does your growing business lack dedicated cyber security personnel? We can help! Our virtual Chief Information Security Officer (CISO) services present an affordable option for your organization to gain direct access to the diverse and extensive knowledge of information security professionals.
Documentation, training and testing to help ensure your cybersecurity plan and procedures align with state, federal and international data security laws and regulations.
Bobby Garrett Talks About “Cybersecurity for 2020“ on Radio Entrepreneurs Radio Show
The Advisor Newsletter
Sign up for our newsletter and receive tax tips, event invitations, important reminders and more.
News & Events
Contact Us Today!
Discover how we can give you the power to do more.