The Best Questions to Ask an IT Department for Cyber Security
And the Answers to Look For
An expert IT department is an indispensable component of most modern companies. But if you’re a manager or executive of your company, how do you know you’re getting the best out of your tech unit? It can be tough to manage specialists who know more about their work than you do.
The essential responsibilities of any IT department include keeping the company hardware and software operational, ensuring disaster recovery when needed, protecting data, both the company’s and its customers’, through cyber security.
Whether you oversee an in-house IT department or receive managed IT services through a partner provider, here are the questions you should be asking and the answers you should look for to ensure that you’re properly protected.
Question #1: What Protections Are in Place to Guard Against Data Theft?
As recently as the 1990s, the only IT-related theft that most companies had to worry about was someone breaking into their building at night to swipe high-dollar pieces of hardware. Today, most thieves that target IT assets don’t take such a bold approach. In fact, they aren’t even after your tangible assets. They’ve honed in on something more lucrative: your data.
There are hundreds of ways that an unscrupulous person can monetize access to your data. They may use ransomware to lock down your system and ask for payment to unlock it. They might find passwords with access to your accounts directly. They may even steal the personal information of your customers for purposes of black market resale and identity theft. Whatever the nature of the threat, your company needs to be protected.
Answer: Firewall Protection
Because most data heists are perpetrated by thieves operating from a remote location, your company has to strengthen its data security defenses at a digital point of entry: its internet connection. First and foremost, this requires having a firewall application that is set to detect three things: attempts to enter the IT system from the outside, access attempts by foreign entities, and patterns of suspicious system activity that may indicate data thieves who are adept enough to enter and snoop around undetected. Ensure that your IT department is using a firewall.
Answer: Hardened IT Resources
Another way to guard against data theft is to “harden” the hardware and software in your IT system by assessing their potential vulnerabilities. This is officially done by performing a “cyber security vulnerability assessment.” Because savvy data thieves know vulnerabilities exist, inquiring whether a recent vulnerability assessment has been conducted is one of the crucial cyber security questions to ask. If your company hasn’t had an assessment this year, it’s time to schedule one. If the IT department has its hands full, a managed IT services company like NIC can help supplement their efforts.
Answer: Strong Encryption
As you likely know, keeping data encrypted is another indispensable defense measure. But not all encryption algorithms are of equal strength. In fact, if a data thief has been active for awhile, he may already know how to quickly unlock certain algorithms, because he’s done it before.
Two of the toughest algorithms known to the IT world are: Rivest-Shamir-Adleman (RSA) and Advanced Encryption Standard (AES). These are military-grade encryption standards that require a ton of time to break. Because data thieves are criminals of opportunity, they may simply leave your system and search of an easier target if they see one of these standards employed. Put encryption on your list of cyber security questions to ask.
An intelligent firewall, hardware and software that are hardened based on cyber security vulnerability assessment results, and ultra-strong encryption are a trio of defenses that fluster would-be thieves. Just be sure that these measures are active 24/7, every day of the year.
Question #2: What Is the Protocol if We Are Targeted by a Cyber Attack?
Does your department have a plan of action for when your company does become the target of a cyber attack? When it comes to damage-mitigation, this one of the most essential cyber security questions to ask. Chances are that your department has a plan of action. A better question is: how comprehensive is that plan and how quickly can it be implemented? The answer may also depend on how quickly the attack is detected.
Answer: Use an Automated Monitoring Solution
Having live IT staff monitor the system is one solution. But a software-based strategy that eliminates human error, monitors the system 24/7, and uses automatic diagnostics that can detect attacks in their infancy, is a more foolproof solution. It’s also more cost-effective than having technicians man a workstation around the clock, in shifts. Most importantly, it might preclude the need to “break the glass” and bring out a last-measure stop gap.
Because an automated solution can both detect and defenestrate an active or non-active presence in the system, it can act as a single solution for detection and reaction. After the thwarted attack curtails, functionality tests should be performed to ensure that the system is ready for normal activity.
Once system status returns to normal, you’ve potentially staved off data theft, the fruition of a troublesome, coded element that could ripple through the IT system, and saved time on system recovery. If your current protocol for an IT attack seems more like a plan for the aftermath of war than a strategy to prevent one, have your department contact NIC about implementing an automated cyber security defense solution that’s tailored for your IT system, and both detects and responds to a variety of common and seldom-seen attacks.
Question #3: Are We Compliant With Laws Regarding Our Customers’ Information?
For companies in the consumer market, this is arguably the most important of all cyber security questions to ask. In the U.S., three types of standards address how personal information is handled: federal law, state law, and industry regulations. Of these standards, some provide companies with more guidance than others.
Answer for Compliance With Federal Law
Federal law of the United States largely lacks statutes dealing with the security requirements of customer information. Furthermore, even on the broader subject of “personal” information, legislation largely deals with how government agencies access and use it. Outside of this, laws protecting medical and legal records, and statutes dealing with information used to commit premeditated felonies — particularly fraud — the feds give the subject of personal information the silent treatment. We clarify this only because it seems natural that one might think otherwise.
Answer for Law State-Level Law
Collectively, state laws have numerous statutes that address how organizations treat personal information. As each state has a different take on the issue, citing specific statutes is futile. Try to set aside time to review your state’s laws or delegate the research to an assistant.
Statues should at least be easy to interpret, making it clear whether your IT department needs to act. One aspect of state law that governs personal information is the same nationwide: the legalese is remarkably specific. The statutes also consistently narrow in scope.
Answer: Compliance With Breach Notification Updates
In 2018, several states passed new laws shortly after Europe’s General Data Protection Regulation (GDPR) went into effect. One aspect of the GDPR that some states wrote into their statutes is “breach notification,” which broadly deals with how companies must notify individuals in the event that their personal information is exposed during a data breach.
Some companies have already done this in the wake of past breaches. States with new notification processes at least take the procedural guesswork out of the process. In a time of duress, with perhaps plenty of other cyber security questions to ask, companies may find the procedure to be a source of relief as something that brings an element of order to chaotic times.
If your state has breach notification laws on the books, and your company happens to experience a breach, a quick review of the new legislation should answer two cyber security questions at once: how to let customers know about the event and the amount of time you have to notify them after the incident occurs.
Question #4: Does Our Information Collection Comply With Industry Regulations?
Determining which cyber security questions to ask based on industry standards is similar to determining inquiries in relation to state law: it all depends on where you’re located. The most notable regulatory guidelines are predictably for industries that have a significant impact on customers nationwide and store personal data of a highly sensitive nature.
Answer: Financial Industry
For the finance industry, the Gramm-Leach-Bliley Act defines information sharing practices for institutions offering financial products and services, such as loans and insurance. Basel II is another significant standard, which is globally enforced and applies to international financial organizations with the goal of reducing internal and external fraud by reducing “system security incidents” — primarily data breaches, as discussed in response to question 1.
Answer: Healthcare Industry
For the healthcare industry, the Health Insurance Portability and Accountability Act (HIPPA) is the well-known, all encompassing standard for customer data compliance, affecting electronic health records, laboratory records, pharmacy records, and also radiology readings. If your company is in the healthcare industry, you’re probably already familiar with this standard.
In the educational industry, the standard with the most widespread effect on customer information is likely to be the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student loan records and applies to all institutions that receive funds through programs via the U.S. Department of Education.
Answer: Retail & Payment Cards
Cyber security questions that deal with legal compliance for customer credit card information typically learn of the Payment Card Industry Data Security Standard (PCI DSS) in response, whose compliance standards must be followed by merchants that accept debit and credit card payments.
If your company accepts card payments, you almost certainly already comply with the standard, as the “payment card industry” collective would otherwise impose fines and eventually cancel your right to accept card payments. However, the standard remains worth citing, in the event that companies concerned with custom information may be in the consumer market and might decide to accept card payments in the future to facilitate new streams of revenue.
Question #5: Do We Have a Disaster Recovery Strategy in Place?
Of the five cyber security questions we list here, this one should receive the quickest reply. You either have a disaster recovery plan that is ready to implement following a catastrophe, or you don’t. A recovery plan helps your company maintain business continuity in the wake of an event that could leave your region in a daze, such as a strong earthquake. The disaster could also be as mundane as a burst plumbing pipe in the ceiling that soaks your server enclosures.
Answer: Multi-Resource Recovery Plan
A disaster recovery plan is essentially designed to help a company recover from an incapacitated IT system, such as one that’s smashed by a fallen ceiling or soaked with gray water. To keep the business IT process intact following the event, a plan often uses four resources:
- Offsite data storage
- Alternate business location
- Emergency backup hardware
- Emergency staff deployment
Offsite data storage is a must, so ensure that data you would need is made redundant at an offsite storage location. Emergency backup hardware is also essential. Offsite data can’t be used without it. An alternate business location may go unused. However, if your building is uninhabitable, you’ll need a location where the temporary IT system can be quickly staged. Emergency staff may also prove unneeded. But disasters that render buildings uninhabitable can also cause logistical chaos that makes it impossible for employees to report to work.
In addition to ensuring that resources are available to deploy at any time, you need a deployment plan. A recovery plan provider will help you coordinate the scenario. Last, the execution of the plan should ideally be tested to ensure that no logistical considerations are overlooked. A recovery plan provider will also help you give the plan a test run.
Swift Deployment Is Critical
When a plan becomes necessary to execute, doing so in a timely manner can mean the difference between an eventual return to normalcy and going out of business, especially for small and midsize businesses that have one location. For most companies that don’t make it back, lack of access to critical business data is often the death blow. Ideally, a plan should be deployed within 48 hours following the disaster.
Work With an IT Provider That Has All the Right Answers
If IT is a business-critical resource for your company, questions you have about its cyber security should be asked as soon as possible. If you or your IT department would appreciate some information on cyber security best practices, contact NIC today to schedule a free consultation. We’ll help you ensure that your cyber security is properly strengthened to stand strong against any challenge your company might foreseeably face.