Ransomware continues to rise and is getting increased national attention. Even if you are not a large pipeline or meat-packing plant, do not be fooled into thinking this is unlikely to affect your business.
Correspondingly, businesses of all sizes are adding cyber-security coverage to their general business liability insurance. And as a direct result, more of your vendors, clients and potential clients will ask you to complete a security audit questionnaire. You may find yourself scrambling to meet one or more security requirements to avoid being disqualified from lucrative new business. It is more important than ever that you choose an IT vendor who can proactively ensure their clients can meet and exceed security audit requirements.
Vetting Your Vendors
The most common way cybercriminals gain access to data is from human error. In addition to training your internal staff, it is important to ensure your vendors and subcontractors are following cybersecurity best practices. If your vendor or client is asking you to complete a security audit questionnaire, you likely need to consider your downstream vendors as part of this process.
Before you need to respond to an audit, create a policy and checklist to vet your existing vendors, and make a habit of checking credentials any time you select a new vendor in the future. If you are interviewing different vendors, and some are not able to easily respond to security questions while others are able to do so, this is a good indicator on which candidates are worthy of consideration.
A first step is assigning a Security Officer. Next work on policies and procedures that are common for most compliance standards, including:
- Comprehensive Security Policy
- Incidence Response Management Plan
- Data Protection & Data Classification
- Access Management
- Business Continuity Plan
- Disaster Recovery Plan
- Risk Assessment and Gap Analysis
The policy documentation is one of the most time-consuming components to compliance. Plan time to work on and update your policies on an ongoing basis.
Implement Key Cybersecurity Protocols
Each cybersecurity compliance framework will have more detailed and specific requirements. Any of these compliance standards, including NIST, CMMC, or HIPAA will require the basics be covered.
- Business-grade anti-virus and anti-malware on all desktops, laptops and servers
- Ensure that all workstations and servers are fully patched and running supported operating systems
- All external network gateways are protected by a business-grade firewall with comprehensive security subscriptions including intrusion prevention
- All critical data is backed up with recovery time settings that meet your risk analysis. Test restores are done regularly to ensure your backups are working properly
- All workstations, laptops, servers, portable devices, and removable storage media containing personally identifiable information are encrypted, and are properly wiped before disposal
- Implement a security awareness training program for your employees
- Use a password manager, strong passwords, and multi-factor authentication
Plan Sufficient Time to Respond
If you need to respond to a cybersecurity or compliance audit, do not wait until the deadline approaches to start preparing. Give your team members sufficient notice and check in on a regular basis as the deadline approaches to ensure success. Even if you have all of the necessary security policies and standards in place, it takes time to respond to the request and provide adequate documentation.
If you or your clients must meet stringent compliance standards (e.g., defense contractors, government entities, technology sector companies, healthcare), you may be required to implement advanced security measures such as:
- Specialized Microsoft 365 hosted email plans such as GCC
- Security Operations Center (SOC) or Security Information and Event Management (SIEM), which adds real-time analysis by security teams for suspicious files or events
- Secure send, metadata removal and data loss prevention (DLP) functionality for email
Your information security plan is never finished. Proper risk management will inspect the likelihood of a breach from various scenarios and prioritize gaps accordingly. Schedule time, at least annually, to reevaluate and improve your cybersecurity plan.