By Sue Ostrowski
If the technology at your business should fail—whether as the result of a natural disaster, fire, or fraudulent activity—do you have a plan in place to help you recover quickly and sustain business operations?
Don Boian, cybersecurity outreach director at Huntington, says almost every business today is dependent on some form of IT infrastructure, even if that is just to have a website that posts a company’s hours and address.
“That’s been the case for a while now, but the pandemic has really brought out the fact that the electronic side of things is so incredibly important,” he says. Especially with so many businesses allowing employees to work remotely, “there are not many things we as humans do that isn’t plugged in to some IT system or isn’t online.”
Preparing for a technology failure
According to the National Institute of Standards and Technology, it is critical to create a plan that includes five pillars†:
- Identify. What sensitive data do you have, and what data do you need to protect? If you outsource any aspect of your business, who do you share data with, and how is that protected? If you have employees, you’re also obligated to protect their data, such as healthcare information, and bank account information for direct deposit of paychecks. Take an inventory of what systems you have. Knowing what computers, devices, and software you have is important in the case of disaster for insurance purposes, and when a company announces a security issue in an operating system or application you may use.
- Protect. Back up your data, train employees on safety issues, and integrate email security best practices. Employee education is one of the simplest ways to build a culture that prioritizes cybersecurity. It’s also important to keep operating systems and applications on the most recent version and patch when those become available.
- Detect. Set up systems to detect an intrusion into your system and integrate checks and balances into all processes. Also, ensure anti-virus, endpoint encryption, and data loss prevention software are up to date. A business continuity plan and a communication plan are critical, says Boian. Periodically, review your business continuity and resiliency plans, and know the answers to questions such as:
- What happens if malware gets on computers?
- What if there is a ransomware demand?
- What if there is another situation where everyone must work from home?
- Respond. When a crisis emerges, it’s important to revisit the plans you created—and practiced—to respond strategically in addition to reacting to the current situation. “No plan survives first contact with the enemy, and you will never have a plan that perfectly fits whatever malfeasance comes to you,” says Boian. “But having a plan in place will benefit you a lot and ensure your business can continue.”
- Recover. In addition to addressing the technology component, in the instance of a data breach, what is your communication plan for when the media comes calling? Cybersecurity liability insurance can also help ensure your business survives. Under a cybersecurity liability policy, in the event of a technology failure, experts will come in to help you get your business back up and running.
Once you’ve created a plan and are confident it covers every contingency, the final step is to bring in an outside expert to conduct an audit of your plan.
“Even if you think you did a great job, have someone do an audit,” says Boian. “It’s rare to pass an audit with flying colors, and they will give you a lot of things to improve on.”
Keeping it safe
To keep technology functioning and your company running smoothly, Boian recommends the following:
- Put appropriate cybersecurity practices in place, such as keeping your operating system up to date and applying patches as they become available.
- Educate your employees. Teach them about phishing scams and warn them against clicking on links from unknown sources. “If you haven’t done that, even buying a multimillion-dollar protection system won’t help you,” says Boian. “Your employees can be the weakest link.”
- Encourage your employees to use unique passwords. People often use passwords that are associated with multiple accounts, says Boian. Create strong passwords, unique to each account, and use a password manager to reduce your risk of vulnerability.
“Cybersecurity is risk management,” says Boian. “You can’t eliminate the risk, but you can manage it. And if you can manage it correctly, you can minimize the risk of being a victim.”
For more information on managing risk to your company’s technology, reach out to your Relationship Manager.