Your network (physical) security should be solid and in place. This includes firewalls, virus protection, current patches on system-level software and physically secured servers. Basic network security is well understood, relatively simple to implement, and often inexpensive. If your IT team is not up to this task, bring in an outside Infrastructure company to take a look.
Turn on your system logs. System logs tell the story of access and usage of your IT system. Logs will also allow your IT staff to continually look for security attack attempts — perhaps with the chance to prevent a breach before it happens. Even if you are short on resources and cannot continually monitor your logs, they will help you understand how the breach occurred and determine what data was compromised.
Encrypt all sensitive data as widely and as securely as possible. Data encryption is a one-time development effort, relatively inexpensive and worth its weight in gold should you have a data breach." Those magic words, "The data was encrypted — and no sensitive data was compromised,’ will make even the most embarrassing breach manageable.
Perform a vulnerability scan on all externally facing websites. Review all of your externally facing website scans and secure your sites against web application attacks. This is almost always a job for an outside firm with web app security skills.
Install virus and malware prevention throughout your organization. Malware has become a major security problem for home as well as business computers. A single malware infected computer in your office can be the gateway through which hackers gain access.
Educate your staff. The weakest security link is often your staff. A skilled social engineer will run rings around a trusting, naïve staff member. It’s a mean world out there, fueled by a cybercrime community that often finds it easier to sweet-talk your staff out of the company logins than it does to hack your secured IT environment.
Review your cyber-insurance. When I speak to my associates in the risk management insurance industry, they tell me cyber risk insurance is one of the least understood and least used protection means at our disposal. Your IT environment could be breached one of these days, regardless of what digital security efforts you make. If your financial liability is potentially large enough to break the company, I would suggest you cover your bets with cyber insurance.
Review you third-party relationships. Companies get caught in this trap all of the time — they secure their IT world but some vendor or facilities provider opens up a huge security hole. The big guys (companies with enough clout to pull it off) put their vendors and providers through rigorous security audits before doing business with them. Even if you don’t have the clout, pick your third-party relationships with care.
If you are proactive, smart and have implemented at least a few of the suggestions, you will probably survive a digital security breach.
Alan Wlasuk is a Bell Labs Fellow and CEO of 403 Web Security.
Email us at SmallBiz@cnbc.com
Follow us on Twitter @SmallBizCNBC