An employee’s first day presents them with a flood of new information—and delivers with it a message of what the company values most. In a few quick hours, an employee receives directions about when to start work each day, which technology communication platform to use, what to wear and more. But where does cybersecurity land on your organization’s priority list? Is it talked about on the first day?
Information security policies and procedures should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR develop and implement a productive, consistent onboarding process that prioritizes your business’s cybersecurity practices. Here’s how you can begin fostering a cybersecure work environment from the moment the offer letter is signed.
Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of making common security mistakes and may be vital in maintaining your company’s compliance.
After the employee clears the background check and arrives for their first day, it is time to explain and complete a few critical documents. Many compliance audits require these, so follow accurate filing and tracking procedures.
Confidentiality (or Non-Disclosure) Agreements
Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define which information is classified as confidential and communicate how employees are to handle the information.
Information Security Policies
The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that will be pertinent to their specific role. Employees should sign and acknowledge these policies on their first day of employment.
Bring Your Own Device Contract
If your employees access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.
The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. By providing information security awareness and training you can deliver insight into real world cyberthreats and explain why policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. Don’t rush through this process. Taking the time to stress the importance of cybersecurity produces vigilant employees who actively participate in protecting your organization.
Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:
Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.
Consider the relationship between HR and IT during onboarding (and beyond). An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This alleviates many of the risks that can be introduced by missing important onboarding processes. And it ensures proper provisioning and information security practices are being followed.
If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to a Pratum representative today!
Quality cybersecurity team members are hard to find in today’s market, which has led many organizations to consider engaging a virtual chief information security officer (vCISO) to lead their strategy. Engaging a fractional vCISO solves many of issues that accompany hiring a full-time employee, by letting you sidestep soaring salaries, high turnover and competition for the best talent.
But just as with any professional service, the market is full of people who market themselves as a vCISO without having the qualifications you want in an executive-level leader guiding your cybersecurity program. In this blog, we summarize key traits to look for to ensure that you choose a vCISO qualified to set a strategy that’s cost-effective, efficient and in line with relevant compliance frameworks.
Cybersecurity strategy must align with your overall business goals. So you’ll want a vCISO who truly understands how your organization makes money, what makes it different from competitors and where leadership wants to go. Benchmarking your status against other organizations within your industry can be beneficial. But if you get the sense that a vCISO candidate delivers the same templated advice to every client, keep shopping.
Certifications are meaningful and a good differentiator among candidates. But hands-on experience trumps training among two similar-sounding vCISOs. If a vCISO has worked on an in-house security team before, they have firsthand knowledge of selling ideas to executives, working within budgets and getting team members to catch the security vision.
Nearly every job listing throws this requirement in at the end. But with a vCISO, it’s mission-critical. A vCISO typically serves as the liaison between the IT leaders and the C-suite and sometimes the board of directors. They need to be able to make the business case for security investments in plain English. The vCISO will also represent you with auditors and regulators, so your success often rides on their ability to build relationships and persuasively explain your position.
No single company or industry has a monopoly on best practices for cybersecurity. So the best vCISOs have worked in multiple areas, giving them broad exposure to ideas they can apply to your situation.
Much of your cybersecurity strategy will focus on preparing an incident response plan and effectively dealing with breaches when they happen. Find out how much your potential vCISO has worked in this area. Ask for specific examples of when they’ve handled a breach.
A vCISO will help you choose one core information security framework to guide your strategy. NIST 800-171 is one of the most popular, for example. But your specific business and industry may point you to another framework. Your vCISO should have broad expertise in following several widely accepted frameworks.
Some industries, such as healthcare and banking/finance, have significant requirements under regulations such as HIPAA or Sarbanes-Oxley. And nearly every organization has to understand its obligations for laws governing handling of personally identifiable information (PII) or credit card information (covered by PCI-DSS). Your vCISO should be able to accurately determine your requirements and help you meet them.
Hackers change tactics constantly, and lawmakers pass new information security regulations every year. Your vCISO should be on top of an ever-changing industry. If they only talk about threats and tactics from 10 years ago, that’s a red flag.
The fee for quality vCISO service should include staples such as an annual risk assessment; an annual tabletop exercise; regular meetings with your team; and more. The vCISO isn’t just on call when you need them. They set the agenda and manage annual milestones in your program. Part of a Team – A one-person vCISO operation can bring a wealth of insight—but they’re still just one person. If you choose a vCISO who works within a larger organization, they can tap the knowledge of other vCISOs around them. And in a dedicated information security firm like Pratum, vCISOs have access to experts from the digital forensics team and SOC team when they need it.
Pratum's team of vCISO's are ready to talk about their work in all of the areas covered in this blog.
If you need help with your cybersecurity strategy, contact us today.
Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.
You're probably storing more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.
Governments worldwide are increasingly committed to holding you legally liable for all that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one.In this article we'll help you understand the difference between data security and data privacy so you can ensure your policies pay attention both.
An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.
Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.
Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.
In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as Pratum on:
Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.
New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. This presents two key takeaways as you think about data privacy:
During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.
Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.
Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.
Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission regarding basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.
Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:
Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.
If you’re ready to have a conversation about how all of this applies to you, contact a Pratum consultant.
Get our blog articles delivered
to your inbox: