How to Create a Good Information Security Plan


In a world where not even LinkedIn, Yahoo! or Sony is immune to cyber attack, it pays to have a good information security plan. In fact, if you’ve been pushing cybersecurity to the back burner, you’re doing so at your own risk.

SMBs: Make Information Security a Priority

It’s big news when Yahoo! gets hacked but attacks on smaller businesses often go unreported by the media. As a result, most people don’t realize how often SMBs suffer cyber attacks.

A 2016 government report found that two-thirds of UK firms had experienced some form of cyber attack in the past year. Of those, a distressing one quarter were experiencing attacks every month!

Complacency is No Option

If you haven’t yet formed an information security plan, here’s your guide. It’s a good introduction to the types of steps you’ll have to take if you want to protect your firm from hacking, security breaches, and everything else your business faces on the web and in the Cloud.

Step 1: Use Multi-Factor Authentication

Before you do anything, start using multi-factor authentication (MFA). This is only one of several tools in a privileged identity management programme, but it’s the most important. As such, it should be considered the minimum security measure that you should take.

Step 2: Complete a Risk Assessment

Make a list of the assets you’re protecting. You’ve no doubt amassed an email list, and if you handle payments you’ve got credit card data, too. Then there’s all the customer data you’ve collected.

Some assets are worth more than others so prioritise your list. That way, you’ll know how much money to allocate to the various parts of your security plan.

Step 3: Avoid Giving Broad Access Privileges

Not every employee needs the same level of access to data. Grant privileges to only the data people need in order to do their jobs properly. Make that your hard-fast rule when deciding who gets access to what.

This is part of a need-to-know approach to data access that you should be instilling in all company employees.

Step 4. Limit Access to Certain Functions at Certain Times

For system admins (as well as others), it’s best to avoid granting broad network access by default. Allow just one command (e.g. restarting a web server) to be performed at one time. That way, if there’s a hacking incident, there’s only so much damage the hacker can do.

Step 4: Micro-Mange the Whole System

Cybersecurity is one area where micromanaging is almost always a good idea. Monitor absolutely everything that takes place, and monitor it in real time. Record everything. Then, if something is amiss, you’ll not only catch it faster but you’ll be able to terminate processes if need be.

Step 5: Spell Out the Encryption Details

Identify which types of company data should be encrypted. Next, specify what type of encryption is required for each type of data (e.g. 64-bit, etc). Then, mark down exactly who should have access to the encryption key(s).

When everything that’s sensitive is encrypted, a stolen laptop doesn’t mean you’ve lost company secrets. It only means you’ve lost a piece of hardware.

In this era of bring-your-own-device (BYOD), it’s important to make sure your security policies cover all devices. That includes phones, tablets, and anything that’s connected.

A Final Word

To summarize: mere passwords are a flimsy defense against today’s hackers. If you don’t have a data security plan in place for your business, it may be time to upgrade your programme and prepare your defense. Cyber attacks aren’t going to cease anytime soon, and your security is only as strong as your plan. Constant vigilance and good planning will keep you ahead of the game and hopefully ahead of your attackers, too.