I travel around helping businesses, both large and small, work on assessing their cybersecurity risks and implement measures to protect data, reduce risk and comply with applicable state and federal laws. In doing so, it is obvious that all businesses are struggling with managing data risks, and the time, resources and tools necessary to combat the risks are daunting.
This is particularly true for small businesses, which don’t have the same resources to devote to the problem. Nonetheless, there are measures small (and all) companies can take to reduce their risks.
Here is a general list of measures for a starting point. This is not an exhaustive list, but is a basic list to help you start. Many companies feel overwhelmed with the prospect of starting a data privacy and security program. My attitude is that you have to start somewhere, take baby steps, and keep plugging along. The process is never “done,” so make a commitment to start the process. Hopefully, this list will help you get motivated to do so:
- Map your high risk data, such as Social Security numbers, drivers’ licenses, financial information, health and insurance information—know where your high risk data is in paper and electronic form so you can protect your highest risk data first as your highest priority
- Conduct a security risk assessment to identify any vulnerabilities
- Implement at least minimum security measures including (but not limited to) a fire wall, dual factor or two factor authentication, encryption, anti-virus and anti-malware software, password procedures see previous blog about password tips here and here, evaluate implementing a Bring Your Own Device Program, and a vulnerability patch system so patches are implemented in a timely manner
- Put policies (that are legally required—limit what you call a “policy”) and procedures in place (such as a Written Information Security Program) that comply with legal requirements, or provide expectations and guidance for your employees on how you expect them to use your company assets
- Make the policies and procedures understandable and available to employees
- Educate your employees on data privacy and security, including phishing and spear phishing and what their responsibilities are in helping the company protect its data. Encourage employees to be data stewards of the company
- Make the employee education interesting and creative and bring them into the conversation so they feel engaged
- Map the vendors that have access to high risk data and enter into contracts with them that include security measures that subcontractors and vendors are required to put in place to protect your data
- Consider questioning high risk vendors directly on security measures that they have in place to protect your data
- Develop an incident response plan and team and a breach notification program
- Consider obtaining cyber liability insurance
- Put a Data Privacy and Security Team in place
This list is a high level starting point and is designed to be a basic checklist to assist small businesses to consider when starting a risk management program around data privacy and security. If you haven’t started a program, hopefully this will help you get off the ground.