If your organization is ready to get your IT security on track, where do you start? Too little security opens up your organization to unnecessary risk and too much security interferes with productivity.
Here’s a five-phase checklist to help guide you through the process of launching your IT security program:
Phase 1: Choose a pre-prepared checklist or assessment
For an overview of cybersecurity best practices, download a few existing checklists and self-assessments. About 80% of the material in each checklist relates to the same information so don’t get too caught up in which assessment to use, just choose one that seems appropriate for your organization or industry. Some of the questions will be easy to answer and some won’t. If you don’t have an IT department, make sure the team working on the checklist genuinely enjoys IT and enjoys seeking information about it, possibly someone in your finance or operations departments. Here are a few checklists to review and use for your framework:
- ISO/IEC 27001 Self-Assessment Checklist
- Small Firm Cybersecurity Checklist
- COBIT 5 Self-Assessment Tool (create an account to download)
- FFIEC Cybersecurity Assessment Tool
For more in-depth guidelines, see materials from National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. Especially useful are the Cybersecurity Framework (website, table and explainer PDF) and Baldrige Cybersecurity Excellence Builder.
Phase 2: Gather input about your team’s priorities
Implementing every security control isn’t what you’re going for. You want to implement controls that protect your company from external and internal threats but don’t noticeably slow down your business. Survey your employees about their requirements, priorities, and ideas to find what will work best for your unique organization. Different employees will have different perspectives and the final decisions should be collaborative. Your organization’s strategy should satisfy the most number of needs while sacrificing the least.
- Work with a person from your finance or risk management department to develop a questionnaire that covers security and convenience issues in each area of your organization
- Compile information from everyone with a vested interest, from your sales department to your operations teams
- Invite your executive management and legal department to weigh in on setting priorities from the information you’ve gathered
Phase 3: Tackle the low-hanging fruit first
As you’re reviewing cybersecurity best practices, you’ll probably come across some improvements you can make without too much difficulty — be sure to make those changes right away. You will immediately improve your security posture compared to other companies (which makes you a less-attractive target) and having early successes in this process builds momentum. Examples include:
- Updating all devices with the most current operating systems and firmware
- Requiring multi-factor identification to access your system
- Encrypting your data
- Limiting access to data to those employees who need the data to do their work
- Making sure your backups are up-to-date and usable
- Signing up for online security awareness training for your employees (a critical, ongoing exercise)
Phase 4: Enlist the help of experts
Once you’ve tackled the basic improvements, bring in a third party to do a formal risk assessment. (If you’re struggling with completing the self-assessment or handling the low-hanging fruit, bring in the third party sooner.) Your IT risk assessment consultant will develop a set of security controls based on your specific business — your own customized checklist. And the resulting reports will identify the security gaps in your network and system. With accurate data about what’s really going on, you can make decisions that are best for your organization. The cost for this third-party service runs between a few thousand dollars to tens of thousands of dollars, depending on the complexity of your business and how much work you’ve already completed in the self-assessment.
- Choose a recommended consultant familiar with your industry
- Make sure the consultant includes pricing to fix security gaps once they’re identified
- Decide collaboratively among your leadership team what to fix and what to leave as-is and insure
Phase 5: Take a fresh look each year
Managing security is not a one-off project. Just like replacing the batteries in your smoke detectors or getting a physical, you need to re-assess every year. Fortunately, the first time you assess your practices is definitely the most time-consuming. Your annual follow-ups will move faster because they check on progress and cover new changes. Schedule the re-assessments at the time of year that’s most convenient for your organization.
- Send a survey to your team about any security or productivity changes over the past year
- Confirm that your team has been adhering to your standards
- Include updated training modules in your training program — training should be ongoing
As cybersecurity issues ramp up and cloud computing replaces traditional IT infrastructure, security issues can get even more complex and in need of proactive management. Our team at Leapfrog works closely with each of our clients to understand their business models, operations and goals so we can deliver the secure managed IT services that are the right match.
We believe that risk assessments and strategic planning that follows established best practices are the keys to success. And while we don’t do risk assessments ourselves — we prefer to work with third parties so there’s no perceived conflict of interest when it comes to the services we recommend — having Leapfrog’s experts at the table when you develop and execute your strategy can get you on a strong footing that you can leverage for years. Please let us know if we can help.