Football, Halloween and changing leaves are things we traditionally associate with October, but it’s time to add cybersecurity to that list.
October is Cybersecurity Awareness Month. Now in its 17th year, CSAM’s central goal is to promote the practices that keep Americans safe in cyberspace. This initiative is overseen by the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security.
This year’s theme for Cyber Security Awareness Month is “Do Your Part. #BeCyberSmart,” with an emphasis on the importance of personal accountability for protecting your part of cyberspace.
It raises a question that all business owners should be able to answer: Who’s responsible for cybersecurity in your business?
Delegating Cybersecurity at Work
As you know, maintaining your business’s cybersecurity is a big and ongoing challenge. It’s not something you can just check in on every few months; preventing data breaches is a 24/7 priority. It requires a comprehensive data security plan with lots of moving parts. In most businesses, maintaining cybersecurity is a job that many people will share. Everyone plays a role, from the receptionist who opens emails to the cleaner who empties the trash cans.
That said, it’s critical that specific people own specific cybersecurity tasks, and that everyone is clear about their individual responsibilities. It’s the employer’s responsibility to make sure that all tasks are delegated and everyone is on the same page about who does what. Generally, this information is recorded in a business’s data security policy. Everyone can use this policy for reference when any cybersecurity issue arises. If your business doesn’t yet have a data security policy, or if it needs updating, you’ll want to do that immediately.
Your data security policy may include a lot of technical information about your data loss prevention software and data loss reporting. It should also be a practical document that all employees can reference when they have questions or concerns. Cybersecurity is a group effort. Making sure that everyone can access and understand your policies is part of maintaining your data security.
Some of the questions your data security policy may address include:
- Who is allowed to access various kinds of data?
- Who’s responsible for overseeing security permissions (e.g., revoking security access for ex-employees)?
- Who oversees compliance of any data security laws that apply to your business?
- Who should employees tell if they think they’ve opened a phishing email or exposed data?
- Who should employees contact with any general questions about data security and destruction?
(Keep in mind that your policy may need to include contingency plans, especially if you’re a small organization. Say your policy calls for data breaches to be reported to the head of IT, but she’s unavailable when one occurs—who should an employee alert in her absence?)
These are just general ideas; your data security policy should be customized to your business, and depends largely on how much secure data you handle. A business that processes medical claims will probably need more extensive data security policies than a small bakery will.
Finally, keep in mind that a data destruction policy is also a critical part of a comprehensive cybersecurity plan. Your data destruction policy may be a separate document or part of your general data security policy. A data destruction policy should outline best practices for handling both physical and electronic data. (What kinds of data should be shredded, for example? What’s your data destruction policy for remote workers?)
Observing Cyber Security Awareness Month
If your business needs to tighten up its cybersecurity practices, CSAM arrives at just the right moment. This year’s programming is broken into weeklong focus areas. Certain weeks will be more relevant to some businesses than others. If one sounds useful for your business, check in with CISA during that week for targeted resources and information.
Week of October 5: If You Connect It, Protect It
Week of October 12: Securing Devices at Home and Work
Week of October 19: Securing Internet-Connected Devices in Healthcare
Week of October 26: The Future of Connected Devices
CISA also provides a range of resources that businesses can access during October, including a few dozen sample social media posts that provide cybersecurity tips. Anyone is welcome to copy or adapt those sample posts for personal use. This is an easy opportunity to publicly affirm your commitment to cybersecurity—a commitment that protects your customers and employees alike.
We share that commitment at Northeast Data Destruction. Countless businesses rely on our data destruction services as part of a comprehensive data destruction policy. We know that protecting your data is part of how you protect your business. Contact us today to learn more.