As a business owner or high-level non-tech executive, it’s not your job to handle cybersecurity. You hire professionals for that! Your tech team, whether you’re a software company or not, is incredibly intelligent and likely much better versed on the state of cyberthreats and system security than you are. That does not, however, mean that it’s a good idea to remain in the dark. Be proactive instead!
Take time to sit down with your IT manager, CTO, or whomever the right person may be. Educate yourself on what needs they have—and the earlier, the better. Privacy by design and chaos engineering are great ways to build in security from the get-go rather than months and years down the line. We’ve organized some of the most important areas of questioning into three sections: Resources, People, and System. Following up on the answers likely involves more departments than just engineering, and that’s where you can help facilitate a secure and prepared work environment.
What’s the breakdown of our current IT budget?
Is cyberthreat insurance included and do you need it? Is the current budget working in terms of personnel needs and security resources? Unfortunately, a solid percentage of companies intend to downgrade their IT budget even in light of increasing threats. Find out from the people running the department if they’re working with bare-bones and how you can help through hiring or acquiring services.
What is our Disaster Recovery Plan?
Find out if disaster recovery is handled in-house, and if looking into Disaster Recovery as a Service (DRaaS) is in your best interest. Walk through the current plan, including who needs to know details or be educated on the setup. DR is unequivocally essential in a world where everyone and every company is targeted on a daily basis. Time is of the essence after a data breach, so make sure everyone knows the plan and their role in the event you need to recover.
What further resources do we need to limit vulnerability and ensure resilience?
Find out where you stand on data privacy compliance because the price tag on non-compliance is guaranteed to be heftier than what you might spend upfront, in terms of both time and money. Is the team missing any critical roles that can help shore up security and cloud resilience? Have your IT manager compile a list of your business’s needs in order of priority so that you can help them to help you.
Have we limited access automatically?
This is a very simple way to stop breaches in their tracks: Don’t fall into the trap of giving everyone access to everything. For one example, there’s no reason non-customer-facing employees should have access to customer data or billing information. Every bit of data is valuable to hackers, no matter how trivial it may seem to you. Make sure the only people who can access secure information are the ones who truly need it to perform their duties.
What is our cybersecurity training plan?
First and foremost, find out if you have it in place at all. Typically this is an HR area, so direct your manager to coordinate with that department on training frequency as well as any recommendations for sources and areas of focus. Most successful cyberattacks occur through social engineering or because of human error. Employee education is critical to limiting risk.
How are we ensuring endpoint security?
This means both in-office folks and remote employees. Particularly the latter, as they don’t have the additional safety net of office network firewalls (but ask about in-office network security too). Find out how employees hear about software patches and necessary hardware updates. Make sure there’s a system to follow up and confirm the updates were installed.
Do we have an overview of the entire system?
And do you monitor it for security weaknesses and breaches automatically or manually? Automation and a whole system view are your friends. Both help you to pinpoint vulnerabilities before they become problems, as well as alert you to anyone probing the system or getting in. Ask how you can better automate the system for security and resilience. Find out when the last penetration test happened and how often they’re run.
Where are we most vulnerable?
Ask if the engineering team works with chaos engineering. It’s a way to be proactive about security risks rather than waiting for them to appear. Get a rundown of the most vulnerable areas and a plan to address them. This includes the most common types of attacks detected so that you can circle back to security training and make sure everyone’s briefed on the biggest threats to your specific business.
Are we cloud resilient?
If the answer is yes, great! Get briefed on how, and ask to stay informed with any changes in the rapidly evolving cloud environment. If the answer is no, ask your cloud provider to make that a priority. Know which cloud provider(s) you use and which areas of the company need the most work to become resilient.
If you don't know what cloud resiliency is (which is one reason the answer might be “no”), our linked blog has a deep dive. For now, here’s a quick explainer. It’s the ability of everything you have connected to the cloud, from servers to your system as a whole, to keep operating with little to no downtime in the event of an emergency. That emergency could be a data breach or a natural disaster, or even your cloud provider going down for a bit.