How to Build a Cybersecurity Plan

If you think your business is too small or insignificant to tempt a cybercriminal, think again. They are not always seeking money, although if they secure your banking information it’s a welcome bonus. Hackers want information, such as customer names and contact information.

What follows is our framework for developing a comprehensive and effective Cybersecurity plan that will keep your business safe and efficient.

I: Gather Data

Collect any information that will cause your business, clients and/or employees damage if it became public. 

This includes

  • Customer Data - account records, transaction accountability and financial information, contact and address information, purchasing history, buying habits and preferences

  • Employee Information - payroll files, direct payroll account bank information, Social Security numbers, home addresses and phone numbers, work and personal email addresses.

  • Company Information - company financial records, marketing plans, product designs, and federal and state tax records.

II.  Establish a Privacy Policy

Privacy is important for your business and your customers. A privacy policy is a pledge to customers that their information remains safeguarded under your care. 

A privacy policy starts with a simple and clear statement describing the information collected from customers (physical address, email addresses, browsing history, etc.)  and how the company will use it, share it or sell it.

At a minimum a privacy policy should address the following types of data:

III: Establish Data Classifications

Group data according to sensitivity level and determine appropriate protection for each. 

Common data classifications include: 

  • Highly Confidential. Information that is intended for use within the company and unauthorized disclosure will seriously impact the company's owners, business partners, vendors and/or customers. It includes Personally Identifiable Information (PII), customer information and/or personal health information.

  • Sensitive. Information considered private, such as employee evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and/or email marketing lists. 

  • Internal Use Only. This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within the company. This includes information supplied to you for new business pitches and information gathered about competition and clients. 

IV. Plan for Unexpected Data Loss or Theft

Even with the tightest security, best practices and policies, data attacks occur every day. Loss or theft of data can hurt your bottom line in more ways than one. Not only does it result in loss of consumer confidence, it can also expose you to litigation risk.

That’s why it’s critical to understand exactly what data or security breach regulations (link to article) are applicable to your business and how prepared you are to respond to them.

Here are some resources to help you determine applicable laws and how to adhere to them.

  • The Online Trust Alliance maintains a comprehensive guide to understand and prepare for data breaches.

  • The Federal Trade Commission maintains material to help small businesses secure data in their care and protect their customers’ privacy, including an interactive video tutorial.

Our team is constantly testing to identify the latest security challenges, changes and best practices to keep you safe and informed. We are always ready to assist you by phonechat or email.

7 views0 comments