Like many things in business, it may seem like it will take hundreds of daunting tasks to address one single overarching fear of liability.
That is why I thought it would be helpful to give you some hope with a few simple exercises to get your organization closer to being secured properly.
Whether you use an outside IT provider or have your own internal IT team, these are good practices to identify weak spots and prevent potential issues now or in the future.
Day 1 –Communication
First and foremost, you have to communicate company-wide to your team that you are actively taking steps to better secure your technology. I like to steal a business principle from The Container Store for this part, “Communication is Leadership” (you can read more online at standfor.containerstore.com/our-foundation-principles/communication-is-leadership)
It’s important in this process that you define and relay why you are taking these measures, whether it’s to better protect your client’s information, protect your employees’ personal information, and/or just to prevent a future financial liability. It’s important that your employees understand this upfront as changes or requests are being made.
Day 2 – Discovery
The second day can be seen as a great exercise in discovery. Make a list of what IT assets you have, what applications are critical to running your business, where are files stored, IT equipment and any other relevant items (all the way down to camera systems etc.).
It’s often best to brainstorm with your team on this. Put everyone in a room and whiteboard lists (bring in an outside expert, if possible). Once you have listed what’s important, pick the top three items and find out who has access to them and at what levels (i.e., administrator, standard user, etc.).
Make a quick spreadsheet so you can keep track of your users and those assets. Keep it updated going forward as changes are made in the organization.
Day 3 – Action
With the information you’ve gathered during your discovery, identify the most important potential liability.
Make a one-day plan to update necessary changes to limit user access internally or externally. Identify levels of access – or just shouldn’t have it. It’s important to remember that you don’t have to make this a big manual effort. Allow your team or outside provider to make a small investment in tools and best practices to make immediate changes.
For example, there are tools that can scan your whole network and layout documentation to identify what is connected and where it’s connected. Using a tool compared to spending hours of your staff time to manually figure this out prevents loss of valuable time and mistakes.
Day 4 – Designate a point person
You’ve now communicated that you’re trying to keep your organization more secure, and you’ve set in motion some action to make it secure.
As improvements are happening, make sure your entire team knows who the internal point of contact is for potential security risks.
For instance, I was part of a network security case in which someone received a suspicious email. Instead of sending this to a designated security person for review, they forwarded it to another employee who then clicked on an attachment and infected their entire network.
These situations can be avoided when your entire team is looking for and identifying potential security issues. Whether it’s something another employee is doing, that your spam filter is allowing too much through or maybe something much simpler, your team knows who to notify with concerns.
Day 5 – Make the process fun
At this point you’ve created some good groundwork for a more secure network, and you may have some buzz around the office.
Use this to your advantage and have some fun with training your team to work toward a safe, secure network.
I believe people follow incentives, so give people incentives to help — maybe give gift cards, prizes or cash for being the first to identify potential threats. Put up posters around the office that offer good advice, but maybe inject some humor at the same time.
Get creative. It’s the best way to make sure your team is staying with you in the mission for a more secure workplace.
David Darmstandler is CEO of Datapath, an IT services company with headquarters in Modesto. You can reach him at [email protected].