Blog & Tools

Good cybersecurity plans begin with good corporate policy

Implementing a good cybersecurity defense is an absolute necessity in today’s risky business environment.

At first, the responsibility for formulating and implementing an effective strategy might seem overwhelming. It’s not easy. It’s a job that probably doesn’t rank at the top of many new or expanding businesses’ to-do lists. But this duty shouldn’t get ignored or delayed for long.

Cybercrime is flourishing, and small and midsize businesses are inviting targets for hackers, partly because they are perceived as easier targets than larger organizations.

Some organizations might be slow in getting started or in trying to improve existing plans. Others might not know where to begin. Jon Scarbrough, director of IT at SDN Communications in Sioux Falls, has a suggestion that could be helpful:

Start by putting together good, clear policies.
Identify important issues and objectives related to keeping the company’s network and data safe.

“It might sound logical. It might sound silly. But unless you put it on paper, employees aren’t going to know what’s required of them,” Scarbrough said. “In my mind, having policies puts together the rules of the road on how people interact with technology.”

When general policies are in place, teams can implement more precise standards and rules to achieve organizational objectives.

“By putting together some policies, you’ve put together some thought processes. You’ve put pen to paper and said, ‘Here are the different areas that we think are important and we want to address’,” Scarbrough said. “From a management perspective, once you have those in place, you turn those over to a team to take care of the implementation.”

For example, a corporate policy might require that all connected devices have protection from malware and apply software updates quickly. A policy might also dictate who and what type of devices have access to connect remotely to the company’s network, and how deep groups of employees, vendors or customers will be able to go into the system.

The implementers can set access restrictions and spell out specifically how to achieve policy objectives, Scarbrough said.

Help is available. Public and private frameworks, such as the NIST Cybersecurity Framework, can help business organizations assess and improve their ability to prevent, detect and respond to cyberattacks. The National Institute of Standards and Technology developed the guidelines.

NIST guidelines take a best-practices approach to helping organizations prevent, detect and respond to cyberattacks. The guidelines incorporate suggestions from industry, government and academia to create a detailed process for industries in fields such as financial services, electric utilities and telecommunications to follow.

Other framework options also are available to help organizations improve security or manage technology. They include products such as COBIT 5 or ISO 27001.

A meaningful commitment to a framework of any type requires the support of an organization’s leadership. And no matter the approach taken, achieving and maintaining a comfortable level of cybersecurity will likely require an investment in company time and possibly equipment.

In addition to providing more safety for network assets, implementing or improving cybersecurity practices can help a company comply with government or industry regulations. Good cybersecurity also can help an organization build credibility with customers and other entities.

“It’s a badge that all companies need to have to satisfy their business partners,” Scarbrough said.

SDN Communications is a regional leader in providing broadband connectivity and cybersecurity services to businesses in communities such as Sioux Falls, Rapid City, Worthington, and the surrounding areas.