6 Actions Businesses Should Take During Cyber Security Awareness Month

October is National Cyber Security Awareness Month. It would seem the breaches announced virtually every day of this  month so far were orchestrated to highlight the need for organizations to beef up their information security efforts and improve their controls.

Sadly instead, cyber incidents seem to have become de rigueur these days. Consumers are getting fed up, and government agencies are proposing more laws. The tide is turning, and soon organizations will be held accountable for more effectively protecting their systems and information, or they will likely face much steeper fines and penalties than ever before. So, now’s the time to take action! Here are six actions you to take this month to start improving your organization’s information security program and associated efforts.

1.    Review your authentication methods.

When was the last time you updated the way your legacy and older systems and applications authenticate user accounts? Do you still use just a password, that isn’t required to be strong? Do you engineer new systems and applications using these same weak methods? Now is the time to improve your authentication methods.

TO DO: Implement two-step authentication wherever possible and require strong passwords.

2. Apply security updates to all your systems and applications.

Are you up-to-date with all your security patches and systems updates? Cyber crooks look for systems that have old vulnerabilities. Plus, those vulnerabilities can allow bad things to happen as a result of mistakes and interactions with other applications and systems. You are a digital sitting duck if you don’t stay on top of security updates. Case in point: Have you updated your OpenSSL to remove the Heartbleed vulnerability? Do it now!

TO DO: Update your systems to the most recent version and apply all appropriate security patches available. 

3.     Give your personnel training and awareness communications.

People are not born with an innate sense of how to secure information. Your information security and privacy policies, and related necessary work activity information, are not transmuted to them through osmosis. Too bad the majority of business leaders seem to not realize this given the abhorrent lack of good information security and privacy training, and awareness communications, within organizations. You must provide effective training as well as provide ongoing awareness communications so they know how to incorporate effective information protection practices within their daily job activities. Just consider this: one recent study found that 57% of privacy breaches are caused by insiders, most of whom simply made mistakes, or did things not knowing that it would put information at risk. These could have been prevented with good education.

TO DO: Give good and effective information security and privacy training to ALL your employees, and send them ongoing reminders and other types of awareness communications.

4. Do a security and privacy audit.

Do you just assume that all your privacy and security controls are enough and working just fine? Do you assume that all security and privacy risks have been appropriately mitigated? If your answer is yes, is this because you have confidence following a recent (as in the past few months) risk assessments? If you’re making these assumptions based upon old risk assessments, or through blind trust in the absence of risk assessments, then you are putting your organization at great risk of becoming the next cybersecurity breach incident to be in the headlines. You need to do risk assessments regularly. The more time from a risk assessment, the more the business has changed, and potentially had new risks created.

TO DO: Do regular information security and privacy risk assessments and mitigate the discovered risks appropriately.

5.    Make your security and privacy practices transparent.

Do you have a privacy notice and information security policy posted on your website? Does it accurately reflect the current practices of your organization? Do your employees know what they say? Do their work activities support what the statements and policies say?

TO DO: Create a clear, accurate and easy to understand web site privacy practices statement and information security policy. Keep them updated to reflect changes in your organization’s practices.

6.    Find out what your contracted third parties are doing.

When you entrust contracted third parties to access your data, and all forms of information, and the associated systems and physical locations, you retain a level of responsibility for the actions of those third parties. Do they have an effective information security and privacy and security program in place? You need to vet and maintain a level of oversight for your third parties and their security and privacy practices. If they have a privacy breach or security incident, you will ultimately be held responsible in some manner.

TO DO: Ask your third parties to provide you with the results of a recent risk assessment; high level to get something started and to get quick results if they don’t have a recent risk assessment report available. Then establish ongoing oversight of your third parties’ information security and privacy practices.

Bottom line for organizations of all sizes…

These six actions are just the start of improving, or building, your information security and privacy program into one that is effective, comprehensive and up-to-date. And certainly every organization, of every size, in every location, in every industry, needs to have an effective, comprehensive information security and privacy program in place. Doing the six actions listed above will help you to see where you need to make improvements. Every month should really be Cyber Security Awareness Month for all organizations.


This post was brought to you by IBM for Midsize Business  (http://goo.gl/t3fgW) and opinions are my own. To read more on this topic, visit  IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

IBM Logo

Tags: , , , , , , , , , , , , , , , , , , , ,

Leave a Reply