How, and Where, to Start Implementing a Cybersecurity Program

How to Start an Information Security Program

If you own or manage a small or medium sized business that doesn’t have a cybersecurity program, you’re doing business wrong. But it’s not necessarily your fault. Cybersecurity can be difficult to understand and due to time or budget constraints, it’s not always a top priority.

It is easy to believe that as a small or medium size company you are too small to warrant the attention of cyber criminals. However, cyber criminals are now actively targeting this business market because they believe these businesses are easier targets due to their lack of security 

Security risks and their impact on your assets

If you were asked what is every asset your company has that could be impacted by a possible risk, could you name them all? If you were asked to outline the risks that could affect each asset, could you? Does your company have any measures to mitigate or reduce the risks?

While you may be able to answer some of the questions, or partially answer them, having a complete picture of your company’s assets and the risks that would affect them is step one in your program.

The first question you may have is “how do I evaluate my assets?” For this there are a few ways it can be measured. We recommend using cost. How much is an asset worth if it was completely lost, is there a financial impact its loss would have on your company? 

If you have never conducted a risk assessment, you need to! It will allow you to see where you are covered and where you aren’t. Here some quick tips to get started:

  • Determine what assets you need to secure, this is usually anything of value managed or owned by your organization.
  • Identify the threats and risks that would affect those assets or your business overall.
  • Identify what mitigation you should or already have in place to deal with threats and secure assets.
  • Monitor your assets to prevent or manage security breaches.

Security Awareness

Keeping up with the latest security and technological developments can seem like its own full-time job. But a good first step is developing an internal awareness program within your own company.

An awareness program is a key way of keeping you, and your employees, informed on best practices when it comes to cybersecurity and it doesn’t have to be overly complicated.

It can start with a simple training for staff members on what they can do, or should be aware of in terms of security. Eventually this can be built upon and updated to include new changes or updates, reminders on policies, standards and best practices. Your security awareness plan can be a include a regularly scheduled meeting or one-on-one reviews to update existing security measures for your business.

Choosing simple topics that can be covered in a concise way will keep your team focused and not waste anyone’s time. Hold a weekly training session on relative topics such as email security best practices and include tips on spam, phishing emails and email security. After a period of time you should then review if your employees have implemented any of these tips or follow up with a further advice in an email.

For a full, comprehensive, breakdown on implementing a cybersecurity program check out our video here. It’s a 20 minute lesson that covers the basics of what you need to know to get started.