With everything you have to deal with in your contracting business, there’s a good chance the last thing you’re worrying about is “cybersecurity.”
What does that have to do with HVAC service and contracting? Unfortunately, in today’s digital world, most customer information and important company data is stored either on your company’s computers or in the cloud. That data could be at risk. For more info on the ramifications of such risk, read this editorial from 2014: bit.ly/Target_Breach.
Cybersecurity is more than anti-virus software or secure certificates for your web-based information, or having a basic company policy on computer usage. Cybersecurity touches all your information stored in the cloud, with your credit card processor, and on your company’s computers, cell phones, and smart devices.
According to recent National Cyber Security Alliance (staysafeonline.org) research, two thirds of small businesses say they are dependent on the Internet for their day-to-day operations, and have become more dependent on the Internet in the last 12 months.
Cybersecurity touches all your information stored in the cloud, with your credit card processor, and on your company’s computers, cell phones, and smart devices.
The research also indicates 69% handle sensitive information, including customer data; 49% have financial records and reports; 23% have their own intellectual property (IP), and 18% handle IP belonging to others outside of the company. The alarming news is 77% of small business respondents to the surveys do not have a formal written Internet security policy for employees, and two thirds do not have policies regarding how their employees use social media. Nearly half of employers said they do not provide Internet safety training to their employees.
Do you have systems and plans in place for how you and your employees handle information? What you would do if your information was lost or breached?
Cybersecurity is a fairly complex and lengthy subject. While it’s not the intent of this article to provide a comprehensive plan, I hope to raise your awareness of the extent of the issue. Below you will find some valuable information to help you establish and/or strengthen you company’s policies and processes relating to this important issue.
What Should You be Concerned About?
Here are seven key areas to think about when developing your Cybersecurity Plan:
1. The type of data you collect, as well as where and how you store it – including customer data, company business and financial data, and personal employee data
2. Who has access to your data, your company network, including Wi-Fi, and what protections do you have in place?
3. Employee password protection and use of company computers and devices, as well as use of social media
4. Identification and cataloging of your company’s computers and smart devices, including external hard drives, back-up media, etc. and a process to properly dispose of old computers and devices.
5. Protecting your company computers with anti-virus and malware protection software, and physical security of your servers and critical computers
6. Protecting your data on the internet, including your website and online databases, information stored in cloud computing services, credit card processors, and online backups
7. A response plan in the event of data loss or theft, as well as catastrophic failure of key components of your company’s computer systems and/or network.
Where Do You Begin?
A great starting point is a document published by the FCC, entitled CyberSecurity Planning Guide (bit.ly/CySec_Manual). This manual provides a good initial education on the subject and can help you start and/or improve your cybersecurity plan right away. An important factor to consider is that cybersecurity policies and planning are not a one-and-done thing. Information technology and the internet are changing at a very fast pace. Cybersecurity policy and company manuals should be reviewed at least twice a year, preferably quarterly.
If you feel cybersecurity is an area you are unqualified to handle, consider using an outside firm, preferably someone other than your current IT firm. This helps create a layer of separation and accountability.
While it’s very unlikely you can make your company completely bulletproof when it comes to securing your data and computer systems, prevention and planning can reduce your risk significantly. With a solid, practical plan and policy in place, should your data be breached, you’ll be able to bounce back much faster than you would without a plan.