Does your company accept credit card payments? Does your human resource department keep records of the employees’ personal data? What about third-party vendors that handle payroll, or even the folks who take the garbage out? Nearly everyone has a camera on their smart phone these days.
So, before you can protect the data of your clients and design secure audiovisual systems, you should look first at your own company’s cyber risk management framework.
There is no single cyber risk management approach that will stop all cyber crime; it varies per industry. But generally speaking, there are five elements that are common in successful cyber risk management:
1. Start with a proper cybersecurity framework, which provides a structure for ensuring your “CIA”
- Confidentiality of sensitive data – restricting access to who can view the data
- Integrity of the systems – controlling who can write or change or delete data
- Availability – ensuring that systems are up and running when they are needed
There are a number of cybersecurity frameworks readily available; the most relevant to audiovisual systems contractors are the ISO/IEC Security Control Standards, the FCC Cyber Security Planning Guide, and the NIST (National Institute of Standards and Technology) Cybersecurity Framework, which has been widely adopted across many industries.
2. Implement a balanced distribution of responsibility
Many users think that cybersecurity is the responsibility of the IT department, but it is really everyone’s responsibility. Anyone with email access can be susceptible to a “phishing” scam where they inadvertently click a malicious link or attachment.
Executives must understand the risks and their responsibilities.
3. Take a ‘holistic approach’ to security
Consider not only technical factors, but human and physical factors.
It is important that companies equip their employees with the right tools to recognize phishing email and malware, or even bad actors within their organization. Develop a company culture of cyber-awareness, and provide adequate training to all users.
Reward users for raising security concerns. Minimize physical access to equipment using access controls.
4. Develop a thorough and ongoing risk assessment process
The first step is to identify and categorize your assets, including digital assets and intellectual property (IP).
Next, identify the threats to your organization, which could be external, like a hacker locking up your systems using ransom ware, or someone stealing credit card or personal informational, or a hacktivist who doesn’t agree with your company’s values.
Maybe a competitor wants to shut you down for a week and ruin your reputation?
But there could also be internal threats: users who might accidentally delete files, or malicious employees who try to steal your trade secrets. Assume you just hired the next Edward Snowden.
Consider a third party who can test and assess your systems and vulnerabilities. Like humans, most companies cannot recognize their own faults.
5. Last but not least: Develop an Incident Response Plan & Incident Response Team
Everyone in the organization needs to know what to do when a threat has been detected. We talked about Incident Response Plans in greater detail last month, see this link to that article.
By developing and maintaining a cyber risk management approach for technicians, you can minimize the cyber threats and resulting impacts to your organization. You will also be prepared when your clients ask you for a copy of your cybersecurity policy or risk mitigation plan (and they will!)