Small Business Policy Writing PT 3: Cybersecurity & IT

 SMALL BUSINESS POLICY WRITING PT 3: Cybersecurity & IT

Anthony and Trey sat down to have a conversation about writing policies when it comes to cybersecurity & IT. In a short transcribed video, they discuss a variety of topics. The conversation has been lightly edited. If you would like to watch the video instead you can view it here: https://www.youtube.com/watch?v=jPgXPYSxPN0

 


Anthony Cabral: There are a few sets of policies that you want to have depending on the maturity of your company and what outside regulatory or compliance requirements you might have.

  1. Foremost, you should have an incident response plan, so this is the not if, but when something bad happens, who do we call? Could we get on the bat phone? How do we contact our insurance providers to get them involved? And then who is controlling internal and external communications?

  2. After you have that safe and hard copies at someone’s house or in safe deposit boxes then you should work on a disaster recovery and business continuity plan. This is going to be after the incident happens. We've responded to it, we have people working towards it. How do we recover from whatever that incident? How do we get new office space? How do we recover our data if it's been crypto, locked, deleted, or exfiltrated? How do we procure new hardware? Where are people working from if there's no physical office space? That's your disaster recovery and business continuity plan.

  3. The other big one that's become more important recently is a wire transfer policy. How do we deal with wire transfers both as a company if we're doing wire transfers or if we are working with clients or third parties that we deal with some kind of financial institutes to do wire transfers. One of the biggest man-in-the-middle attacks right now is a business email compromise. I get access to your email, I intercept the wire transfer instructions from the bank, I put my own routing and account numbers in there and then I resend it as the bank and then you send all the money to the bad guy and not the bank and the end users none the wiser. Having that policy in place that we make another phone call to verify that the email is correct, the routing numbers and all that are correct, and the amounts of the money is correct. Maybe two people have to validate and approve the funds before they go through after a certain threshold, or something like that. Just something to make sure that we're double-checking that we're sending the right amount of money to the right people into the right accounts as well.
    So it kind of those are probably the three big ones that you need off, all right off the bat day one,

Trey Hiller: Great, well, thank you so much for all this information. Clear Guidance Partners specializes in cybersecurity and IT and we would love to help you through that journey. If you need help creating policies, reviewing policies, or general cybersecurity help fill out this form:

Trey Hiller