Cerkl’s Advice for National Cybersecurity Awareness Month
Observed every October, National Cybersecurity Awareness Month (NSCAM) aims to provide every individual with the knowledge and resources to stay safe and secure online. It’s no surprise that this year is special as we adapt to a new normal with technology. NCSAM wanted to emphasize that change in this year’s theme: “Do Your Part. #BeCyberSmart”.
We now live in a “work-from-home economy” that is likely to continue long past coronavirus, with 42 percent of the U.S. labor force now working from home full-time. Many employees are no longer inside company walls, so what does it mean for information security and data protection? We turned to our CTO expert Joe with some questions and need-to-know tips.
Q: Why do we need to worry about information security?
At its core, information security protects all sensitive information. Cyberattacks continue to grow, with digital incidents now costing an average of $200,0000 for companies of all sizes. Knowing the risk, companies focus incredible resources to protect sensitive information such as personally identifiable information (PII), which refers to any information that can be used to distinguish or trace an individual’s identity, including:
- IP address
- Social security number
- Email address, and more
This sensitive information is significant, and it is crucial to be protected. Every employee needs to do their part to protect PII. If accessed by the wrong individual or group, it can prove damaging to the parties whose information is acquired. In fact, 60 percent of small businesses fold within 6 months of a cyberattack.
Q: What are the biggest cybersecurity threats right now?
With the pandemic, the workforce has shifted into a more distributed environment, with most employees connecting remotely. This can be a huge threat to cybersecurity if not treated with the proper precautions.
With employees now at home, there is a chance they could be operating outside of corporate networks and firewalls. According to a security research survey, 37% of employees working remotely from home have faced an increased risk of phishing attacks in the past 5 months post-outbreak. With these attacks, employees are exposed to leaking sensitive information such as usernames, passwords, and credit card information. As the attacks increase, employees need to understand your company’s security practices and measures to prevent them from being suspect and save yourself from damage control.
Q: What are our clients biggest concerns?
As a software company building a modern employee communications experience for small companies to large, global enterprises, security is very important to us.
Here at Cerkl, we manage highly sensitive information, and we must prove to our clients that we have the proper security and data regulations in place. When it comes to our clients’ concerns, they typically ask to understand how information security relates to their use of the Cerkl Broadcast platform. Specifically, they ask what control we have over the availability, integrity, and confidentiality of their information.
Additionally, our clients want to make sure we have identified potential risks and have taken appropriate action to mitigate those risks. When addressing this with clients, having a solid Security Incident Response Policy can be monumental and help solidify client trust. This ensures we have the ability to meet all of our contractual obligations while also keeping their data secure.
Q: Generally speaking what are the essentials for employee cybersecurity training?
Following this year’s NCSAM theme, “Do Your Part,” it is imperative that companies train every employee on all security policies. This ensures that all employees are on the same page, reduces risks and incidents, and helps the entire workforce protect the organization. Topics that should be covered at your company’s security training include:
- Overall company security
- Threats to information systems
- Safe computing
- Data Security, privacy, and disposal
- Mobile and remote security
- Physical security
Company security practices should be transparent, and employees should go through training annually (at a minimum) to address new security concerns and threats while being reminded of proper practices.
Q: What are some of the best practices for creating a solid Security Incident Response Policy?
Having a Security Incident Response Policy is a critical part of a successful security program. The policy’s purpose is to create a structured approach for a company to immediately document and report security incidents.
Companies with a strong Security Incident Response Policy plan are able to establish and test clear measures to reduce the impact of a breach from external and internal threats. The report becomes a living document used to detail the incident, actions taken, mitigation steps, and any other follow-on activities required once the incident has been resolved. Unforeseen events you may need a Security Incident Report for include:
- Loss or compromise
- Suspected compromise
- Suspicious contact
- Activity involving systems accredited to process sensitive information, and more
To take this a step further, I suggest that companies develop a communication plan for notifying any impacted parties. A Security Incident Response Policy Communications Plan details what the company communicates when the company should communicate, who the company should communicate with, and questions that may be asked.
Having a proactive cybersecurity communications plan prior to any unforeseen event places companies in a good position to handle cybersecurity concerns or incidents.
Q: How do CTOs like yourself ensure companies are keeping pace with new developments and standards?
Information security is always evolving. CTOs need to stay updated with policies and procedures to ensure their companies align with the broader computing environment.
Here at Cerkl, we work with security vendors for network security hardware, third-party penetration testing, and SOC 2 compliance. In supplying these services, a consultative aspect supplies a level of expertise and security awareness.
I aim to leverage this expertise and awareness when reviewing company policies and procedures. To help keep up to date with information security’s current trends, emerging threats, and best practices, there are many cybersecurity newsletters and bulletins.
While the timeline of this new normal is uncertain, making sure your employees are up to date with your company’s compliance communications and security policies is crucial—your team just needs to make sure information security is given the proper time and care.