Much like you don’t need to know brain surgery to save someone in an accident, there are easy steps that you and your organization can take to lessen both the chances of a cybersecurity-related incident and the damage if one occurs.
Cybersecurity is too often considered a purely IT-oriented issue when in reality it’s also a training and human resources one.
In fact, some of the biggest vulnerabilities can be solved by having top-down policies and protocols. I should note that in many states, you’re actually required by law to have them.
First, if your organization’s policy is to make basic cybersecurity practices optional, and not a mandatory—and enforced—condition of employment, then you’ll never be adequately secure.
Good policy starts from the top and must be treated similarly to sexual harassment training. You can’t assume your staff, vendors, or consultants know how to conduct themselves in a secure way, and even if they do, that they’ll take the time to do what you’re asking. Your organization’s rules must be codified and understood and agreed to, and someone needs to be responsible for compliance. Moreover, there needs to be a channel for management to react to incidents.
Everyone that has access to important or private information should understand, and agree to, at least these basics:
Organizations themselves must have their own protocols in place, including:
These can’t be “recommendations” or “best practices.” They need to be part of doing business.
One political party we worked with took these recommendations to heart. We helped them understand their issues and how to solve them, and, made a top-down commitment to change. In only a few short weeks, they instituted new standards of security up and down the organization. And if there ever is an issue, they’ll know better how to react and what to do.
If you do have an incident, take it seriously—particularly if there might be a potential breach of credit card numbers, social security numbers, or user names/passwords.
Don’t assume you know the scope of the breach. You’ll immediately want to talk to an experienced cybersecurity attorney and forensics team to figure out both the extent of the breach and the potential legal liabilities. (Don’t just restore from backups! You’ll overwrite the logs, which may be evidence, and the backups may be corrupted, too.)
As you might imagine, the cost of these teams can be much higher than the cost of training your staff and instituting protocols.
Most of these policies and procedures would be part of what’s called a Written Incident Response Plan (a WISP), which is also expected to be part of the reasonable precautions most states require.
In the end, if you’re not addressing the human resources aspect of cybersecurity, you’ll have trouble implementing even the most basic technical ones.
By Brian Franklin, Co-founder of Campaign Defense, Inc
Also published in Campaigns & Elections