Cybersecurity and your business

Cybersecurity is important for every business so we now tour some essential basics. Cybercrime has created a unique mix of criminal and civil issues that affect business and consumers and the legal requirements are growing.

Cybersecurity is about people and their decisions

Every person in every organization makes decisions that impact cybersecurity and information technology (IT). Every computer user endures cybercrime attacks and makes decisions on how to respond and use their information assets, which include computer devices, data, online accounts, and networks.

Managers and leaders in a business make strategic decisions about IT and information security (IS), including what policies to implement, whether and how to train employees, who to hire, what products and services to buy, and the many other aspects of managing information assets and a business.

Because human decisions are the root of all issues, and because decisions are based on what we know, my first and most important pillar of cybersecurity is to improve knowledge and awareness.

Decisions are made to manage risks and to plan

People, managers, and leaders should make good decisions to plan and manage risks. Easier said than done, but still a foundational principle.

Cybersecurity and information management is not a purely technical issue, nor is it something that can be completely outsourced and delegated.

Every organization must manage and take responsibility for their information assets. Once they start to tackle this task, they will find empowerment and see that the benefits include business efficiency, protection from cybercrime, disaster resilience and legal compliance.

Risk surrounds us everywhere and we should work to manage it effectively while realizing that we cannot eliminate all risk. Risks include cybercrime, natural disasters, legal compliance and business failure, and the key is deciding how to manage and prioritize them. As we plan, we consider how we can improve the business and its use of computers, data, and communication.

This planning helps us manage and lead the business. As Benjamin Franklin and Winston Churchill have indicated, if we fail to plan then we are planning to fail.

Internal policies

Organizations should have an internal policy establishing company rules on cybersecurity. This written document ”“ if properly written, implemented and followed ”“ is the priority single measure for cybersecurity and will address many important cybersecurity issues. These good internal rules also protect against cybercrime, including the three priority threats of data breach, ransomware, and email-based frauds.

Three cybersecurity objectives and three types of controls

Cybersecurity has three objectives, which are:

  • Confidentiality (keeping certain data confidential)
  • Integrity (preventing unauthorized changes to data)
  • Availability (keeping information systems available for use).

To achieve these objectives, there are three main types of safeguards (controls) that can be applied to systems to protect them:

  • Physical (such as doors, locks, gates)
  • Administrative (rules, policies, and training)
  • Technical (firewalls, anti-malware, and all the other “techie” things related to cybersecurity).

The five components for business policies and internal rules

Businesses building their cybersecurity program will create written internal rules including policies and procedures. To aid this process consider using my Five Components for Policy Work concept which involves evaluating:

  • Mission and business needs
  • Laws and regulations (external rules)
  • Guidance
  • Practices (current and desired)
  • Internal rules and policies (current and desired).

Mission comes first, because that is why the business exists in the first place. Laws and regulations are important since they create legal duties that well-managed and long-lasting companies stay in compliance with.

Guidance is non-binding information that assists the organization to shape its cybersecurity program and creation of plans and policies. With a nearly infinite supply of guidance available the key is finding quality guidance and properly adapting it. Cybersecurity frameworks are a form of guidance but many are quite complex so my Four Pillars of Cybersecurity provides an intuitive on-ramp for organizations getting started while my sample cybersecurity policy is an effective way to implement it.

Finally, we need to take an honest look at what our organization does and what we want to do. Our policies are a tool to shape that.

Conclusion

If you didn”™t know cybersecurity was about people and the decisions made, now you know.

Cybersecurity is primarily a people challenge with technical issues just some of the choices we need to work on. Improved cybersecurity is a mechanism to protect and improve the organization and how it governs information assets. You can learn more about cybersecurity here.