How do I start a cybersecurity plan for my business?
Cybersecurity incidents are constantly in the news. Every business wants to protect the confidentiality, integrity and availability of its data. But for many, it is hard to know where to begin – what steps the business can take to assess its information security so improvements can be made.
One cost-effective first step is preparing a data inventory. A data inventory (or data map or data register) is generally a document that identifies what data a company collects, where that data is stored, with whom the data is shared, and when and how the data is transferred or transmitted.
Many information security organizations provide guides and frameworks explaining the data inventory process.[1] Technological tools and consultants can also help. Generally, the process involves investigating what data is generated, collected and used by the business – such as customer data, employee data, technical and financial trade secrets and other proprietary information – and identifying what technology (hardware and software) are involved in collecting, processing, storing, accessing, and transmitting that data – such as mobile phones, servers, websites, email systems, databases, cloud storage or processing systems, etc. The process also educates employees on privacy and cybersecurity issues.
With a data inventory complete, a business can proceed to assess the relative value and vulnerability of various data sets, so it can prioritize the issues most critical to its business and in a manner consistent with its legal risk management strategy.
For example,
Locating where the company’s most critical data resides can uncover needs for improved efficiency, better physical security, backups, additional access restrictions or authentication, or encryption on certain transmission paths;
For a business subject to specific privacy regulation (e.g., HIPAA, COPPA, GDPR, etc.), the data inventory process can identify data and systems whose protection is critical or uncover previously unknown risks to address. With proper legal advice and additional planning, the data inventory process coupled with a compliance audit or other process may demonstrate regulatory compliance;
For a business that relies on trade secrets, the data inventory process can be used to identify locations where trade secrets are kept and the measures taken to preserve their secrecy. The results may suggest additional security measures, such as limiting dissemination or requiring special authentication to access; and
If a business uses third party cloud services, the data inventory can uncover opportunities to work with vendors to improve data handling or storage practices, or even motivate changes in cloud services providers.
The clearer picture of a business’ information systems landscape that a data inventory provides can also help assess the business’ baseline data life-cycle management processes. An inventory may uncover life-cycle management issues, such as issues in data collection, retention, storage, usage, archival or destruction of data. For example, the company may discover it is collecting data it doesn’t use, and can reduce its data collection going forward. Or it may learn that certain data is not being consistently retained or destroyed and take the opportunity to update its data retention procedures.
A business that has any legal questions about its cybersecurity and data management plans, e.g., whether it is subject to privacy regulations, has concerns about protecting its trade secrets, whether it may have any liability for the actions of its cloud service providers, or whether its data retention and destruction practices are consistent with its legal obligations, should seek legal advice from a licensed attorney.
[1] For example, the National Institute of Standards and Technology promotes a “Cybersecurity Framework” that companies can use to assess and manage cybersecurity risks, available at https://www.nist.gov/cyberframework.