My wife and I took our two kids down to Sarasota, Florida a few weeks ago, to visit my parents.
There was a fair amount of rental car logistics involved (don’t ask), and when it came time to pick up the car, I brought along my dad.
I signed the papers, grabbed the keys and jumped in the driver’s seat.
My dad said, “Hey, wait a minute. You need to take a walk around, to make sure there are no dents they may charge you for when you bring it back.”
Dents? I’ve rented hundreds of cars, have never “walked around,” and have never been charged anything.
At least… I don’t think so.
Because when we brought the car back a week later, and with my retired CPA dad’s voice still ringing in my ears, I decided to check the receipt. Turns out they charged me $16.12 for failing to fill the gas tank… even though I had topped it off just outside the airport.
You Have Cybersecurity Controls, But Are They Effective?
I’m sure we could have an interesting discussion about whether it’s worth the time and effort to walk around a rental car before driving away. But even worst case, the cost of not doing so, is relatively modest.
When it comes to your cybersecurity, it’s a totally different story. Here, “failure to check” mistakes can lead to huge — even existential — problems for your business.
Many companies make two critical errors in this area.
Error #1: Checking the wrong things.
Do you require employees to change their passwords every 90 days? That may seem like a prudent policy, but as a practical matter, it’s really just security theater.
In many cases, and because they want to keep things simple, your employees are just going to change “Pa$$w0rd1” to “Pa$$w0rd2.” (I bet you can guess what next quarter’s password will be.)
Not only does this type of policy do little to dissuade attackers, it costs time, effort and money to oversee. A much better approach to password management is two-factor authentication.
And that’s just one example. Whether it’s processes like this one that have little impact, or technologies that protect you from exceedingly unlikely threats, it’s easy to gain a false sense of security by checking the wrong things.
Error #2: Not checking the right things.
In terms of your cybersecurity, these are the areas that will give you the biggest bang for your buck:
Access Control Reviews
George left the company three months ago. But he still has privileged access, the authorization to sign checks, and the ability to administer your entire IT system.
Invariably, when we do this exercise with clients, we find people who are either over-privileged (“I can’t believe we ever gave Sally this level of access”) or are still authorized to make significant changes (read: cause damage) to company assets.
Periodic audits of your system are essential.
Backup Reviews
Nearly every company we encounter runs data backup. But doing it and doing it well are not the same thing — the quality of backups can vary tremendously.
Do you back up to a physical device that sits just steps from your server? That’s fine if there’s a server crash, but not helpful if there’s a fire.
Is your backup encrypted? If not, and somebody grabs the device and walks out the door, your data has been compromised.
And, even though you think you are backing up your critical data, how do you really know it’s working as it should? We recommend an annual test of your disaster recovery / business continuity, during which you restore your systems entirely.
Think through all the possible scenarios under which your essential data could be lost, stolen or compromised. Then make sure you’ve covered all the bases.
Vendor Reviews
Even small companies can have hundreds (not a typo) of cloud vendor relationships. These may include financial systems, calendars, lead management, CRM, timesheets, hosted camera systems and many more.
Take time to document these relationships and investigate how your data is being managed. Is it encrypted? Who within the vendor company has access to it? What steps has the vendor taken to secure it from bad actors, both inside and outside of their organization?
Final Thoughts
Cybersecurity is a moving target. Protections that are in place today may no longer be appropriate as systems, personnel, vendors and your business priorities change.
Fortunately, you don’t need to be a security expert to make sure the basics are covered. You can have a significant, positive impact on the state of your cybersecurity by thinking through and following up on logical weaknesses in your existing routines.
Granted, it’s more complicated than renting a car. But the cost of getting it wrong is a whole lot bigger than overpaying for a tank of gas!
Next Steps
To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/