1. Conduct internal compliance and risk assessments to determine your organisation’s vulnerability to cyber-attacks. In other words, know what you need to protect and what threats you need to protect it from.
2. Develop and implement corporate policies, procedures and management systems required for compliance with best practices and privacy & data protection regulations
This article was written by Steve Dance who is the managing partner of RiskCentric
RiskCentric provide automated management systems, education and awareness management solutions for business continuity, cyber security, regulatory and standards compliance
3. Establish secure data backup processes to ensure that, even if your company is under attack, important company records are secure.
4. Establish company-wide capabilities, processes and protocols to respond and deal with common forms of cyber-attacks (denial of service, etc.).
5. Make certain the CEO and executive leadership are properly informed about the cyber risks to your company and that they’re involved in oversight and the decision-making process related both to cyber-attacks and proactive cybersecurity measures.
6. Ensure funding of the cyber security programme is adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems.
7. Store sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
8. Conduct appropriate data security due diligence on third-party service providers with access to personal information and sensitive business information, and require them to enter into agreements that they are implementing robust data security procedures, follow up to ensure these requirements are in fact implemented.
9. Assess ways in which your company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimise potential intrusion risk, with regular auditing, testing and probing to update and address identified risks.
10. Perform regular, companywide training to ensure that all staff are aware of and adhere to information security policies and procedures.