Any company may face cyber risks, whether in the form of personal employee information or confidential customer or supplier information. The consequences are numerous: penalties for violating information protection laws and regulations or damages claims (unauthorized disclosure or use of information); loss of productivity (denial of service attack, blocked access to the Internet or computer network); one-time financial loss (ransom); ongoing financial losses (business interruption resulting from blocked access or data destruction). So how can we protect ourselves against these risks?
Of course, the nature and extent of protection varies from one company to another, depending on the size and nature of their activities. However, there are three components that should be included in any good policy to this regard:
1. Best Practices
Train and inform employees about the safe use of e-mail and social networks, how to detect phishing e-mails, ransom or malware;
- Develop a written plan for information security;
- Have a formal continuity plan;
- Establish written authorization and authentication procedures for electronic funds transfers;
- Implement data access control based on employee functions to prevent an employee from having unnecessary access to sensitive data;
- Modify or delete accesses immediately when an employee changes jobs or leaves the company;
- Establish a formal password management procedure (complexity, frequent changes);
- Have a risk assessment carried out by a recognized firm that can identify gaps, make recommendations on practices and conduct a periodic audit.
2. IT Security
- Antivirus software;
- Password protection for wireless network access;
- Encryption of server/laptop data;
- Periodic backup;
- Implement a two-factor authentication procedure (e. g. two-tier authentication procedure: password + smart card or password + biometrics).
3. Physical Protection
- Lock the premises at all times and restrict access using smart cards or a biometric access system;
- Protect the premises by an alarm system connected to a remote monitoring centre;
- Provide the server room with a gas fire suppression system;
- Keep backup media outside the premises, in a place protected against theft and fire;
- Provide laptops with a locking device.
Of course, it would be impossible to cover the subject exhaustively in a column like this. However, a computer security consultant will be able to help you establish a program adapted to your needs.
Prefer to think that you are not vulnerable and prefer to take these risks? Privacy laws and regulations may change your mind.
Stay tuned, this will be the subject of the next chronicle.