It’s that time of year again. As 2017 comes rapidly to an end, businesses should be considering potential resolutions for improving their security practices in the coming year. Here are six action items that have the potential to substantially increase a business’ overall cybersecurity.
I am not suggesting that every business pursue each action item, but every business should at least consider efforts in these areas.
1. Take inventory on information assets
While it seems entirely fundamental, very few businesses, regardless of size and sophistication, have an accurate map or inventory of their information assets. Unfortunately, without an accurate inventory, it is impossible to be confident that assets are adequately protected. That is, you cannot protect assets if you don’t know where they exist, or if they exist at all. Take time in the coming year to create or update your inventory, at least of your key information assets, and then review existing security protocols, procedures and policies to ensure those assets are protected.
2. Improve employee training
The old adage of “an ounce of prevention…” could not be more appropriate when it comes to employee cybersecurity training. It is generally agreed upon that employee training is one of the best means of improving overall security for an organization. It is also generally agreed upon, particularly in light of the numerous breaches that have occurred over the past year, that user errors are one of the primary sources of compromises. In the coming year, think of quality, not quantity, of training. Explore means of better communicating cybersecurity issues to your personnel. Take a look at my previous post that discusses possible approaches to employee training here.
3. Tune up vendor and business partner agreement practices
The likelihood of a cybersecurity breach by “insiders” to the business cannot be overstated. Business partners and vendors who have access to company systems and their data, particularly cloud providers, present one of the greatest risks to information security. Take time to assess your current contracting practices to ensure your form agreements include appropriate, detailed provisions regarding information security and legal compliance. Ensure those provisions are supplemented with pre-contract due diligence to ensure the business partners’ and vendors’ security practices are consistent with your own, that the partners and vendors have not had prior breaches, that they train their own personnel well, that they have well-documented security policies, etc.
4. Revisit existing vendor and business partner agreements
Identify your key existing vendor and business partner agreements, assess the risks presented by those contracts and consider appropriate action to take when those agreements become eligible for renewal. Renegotiate problematic contracts to provide better data protections. If the vendor or business partner is unwilling to offer those protections, look for potential replacement vendors or identify other means of mitigating risk (e.g., the use of encryption).
5. Review and update security policies
If you have not assessed the currency of your security policies in the last year, plan a full review for the coming year. An assessment of existing policies is particularly useful following an inventory of information assets, as discussed above. In any event, facilities and systems change, industry practices evolve and new legal requirements may have issued. Review and update your security policies to ensure they keep pace with these changes.
6. Conduct an audit or update existing audits
Finally, if you have not conducted a third-party audit of your systems and facilities in the last year, consider next year as the perfect time to conduct your first audit or an update to your last audit. Audits can help reset security programs by identifying new vulnerabilities and, potentially, previously known vulnerabilities that have not been mitigated. Audit results are also very useful in updating corporate security policies.
Including one or more of the foregoing action items in your plans for the new year will achieve several ends. First and foremost, they are proven means for increasing overall information security. Second, they will decrease potential liability of the company. Third, if a breach should occur, these efforts are extremely effective in showing your company has acted reasonably to protect its data and systems, which is what governmental regulators first look for when assessing whether to pursue actions against businesses.
[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]