By Scott Stephens
IS IT TIME TO REVIEW YOUR DATA SECURITY PLANS? Security is always a critical concern, but in the current environment, it’s more vital than ever.
W
hen COVID-19 began to spread beyond the original epicenter in Wuhan, China, calls for social distancing reached a fever pitch. Governments in hardhit areas imposed stay-at-home orders and shuttered non-essential businesses. Faced with a rapidly evolving crisis, the private sector scrambled to implement work-fromhome arrangements while securing their IT systems and data. Inevitably, criminals began to capitalize on security vulnerabilities created by COVID-19. Shortly after the novel coronavirus struck the United States, the Department of Justice reported that fraudsters were sending phishing emails to unwitting recipients pretending to be from the World Health Organization and the Centers for Disease Control. Hackers also capitalized, creating malicious websites and apps that purported to share virus-related information, only to lock devices until payment was rendered. The stakes for securing IT systems are particularly high for companies in financial services, healthcare, and other industries that process highly sensitive information. To ensure that data is safe, adopting
18
MAY-JUNE 2020 | MailingSystemsTechnology.com
these five security measures will build an IT security program that has the capacity and resilience to withstand even the most extraordinary of circumstances. Develop, Implement and Maintain Comprehensive, Up-To-Date Contingency Plans Waiting until something happens to develop appropriate response procedures is a recipe for disaster, and business continuity and disaster recovery plans should be in place well in advance of an emergency. What’s more, they should be reviewed and updated on an annual basis. When reviewing contingency plans, remove and replace any team members who have moved on from the company and make sure the updated contact information for every member of the incident command is included. Once the plans have been created and updated, it’s time to test them. At least once a year, bring team members together to work through different emergency scenarios. Use a variety of exercises, from walkthroughs and tabletop exercises to functional tests that give team members hands-on experience reacting to scenarios in real time. Once the exercises are completed, it is good to
conduct a “lessons learned” retrospective. Remember that the point of these exercises is not to pass the test with flying colors, but to identify any vulnerabilities in the program so corrective action can be taken before a real emergency goes down. Train Staff on Security Awareness and Assigned Security Roles Having contingency plans in place won’t be much help unless your staff is trained to implement them the moment a disaster occurs. Employees with assigned emergency response or security roles should be trained on the company’s contingency plans when they receive their assignments and at least annually thereafter. Staff who don’t have assigned security roles still require training in general security awareness. The training program should address common social engineering scenarios. It is not recommended to rely on recycled, one-hour annual trainings either. Base the company’s training on current, real-world situations and include phishing simulations to give staff practice in responding to security incidents. Lastly, familiarize the staff with mobile computing, bring your own device (BYOD), and other security policies.