Cybersecurity is the practice of protecting computers and electronic communication
systems as well as the associated information. Protecting confidentiality, integrity, and availability are common security objectives for information systems. This forms the foundation for cybersecurity.
In the business world, there is a tendency to consider as assets of the company only tangible goods: equipment, machinery, servers, etc.
However, we must not forget that there are intangible assets such as client portfolio, rates, business knowledge, intellectual property, or reputation. All these elements are part of the information about a company and constitute important assets of an organization.
Consider, for example, rates the offers we present to our clients, which allow us to position ourselves in the market or against the competition, or in our strategic plans for the growth of our business.
Let's think about the consequences that would have the loss of accounting of the organization, the client portfolio,the confidential information we have about our clients as their accounts banking or intellectual property of our company.
All of these examples are part of our company's information, making it a vital asset that must be protected adequately.
This is what we know as information security.
Although technology is an indispensable element of any organization, it must be used in an adequate way to avoid risks in the management of information.
Therefore, it is extremely important that the necessary decisions and measures are taken before an information security incident/event occurs.
Malware is a blanket term for malicious software including viruses, spyware, trojans, and worms.
... for profit.
Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control or spy on a user’s computer. What criminals choose to do with this access and data includes:
Malware creators can be anywhere in the world.
They just need a computer, technical skills, and malicious intent. Criminals can easily access cheap tools to use malware against you. It is not personal – they are not targeting you specifically – it is just business
Ransomware attacks are typically carried out via a malicious but legitimate-looking email link or attachment. When downloaded or opened, most ransomware encrypts a user’s files, then demands a ransom to restore access – typically payable using cryptocurrency, like Bitcoin.
Ransom, an age-old and effective crime, is now being committed online. Ransomware offers cybercriminals a low-risk, high-reward income. It is easy to develop and distribute. Also in cybercriminals’ favor, most small businesses are unprepared to deal with ransomware attacks.
Many small businesses are often less security conscious, are less likely to implement cybersecurity measures.
You are not guaranteed to regain access and may be vulnerable to a second attack.
It is common to hear that "the most important link in security is the employee", since avoiding human error could be the key to protecting your systems and information. It is important, in addition to carrying out the appropriate awareness and training to strengthen this link, to take security measures within the HR Department.
A great way to guarantee that you will have a responsible staff in terms of cybersecurity is to establish the appropriate filters, tests, and controls in the relationship with your contractors and employees, especially in the signing and termination phases of a contract:
· what requirements and agreements related to security they must know, accept and comply with;
· what internal policies should apply: use of corporate mail, classification of information, applications allowed, use of the workplace.;
· what training you are going to provide them; and
· what are the processes to register/cancel them in your systems.
Below are a series of controls to review compliance with the security policy in relation to the HR Department.
Contractual clauses -Reflect the most important aspects of cybersecurity in the employment contracts of your employees.
Confidentiality agreements - Specify in confidentiality agreements the way to manage access to the most sensitive information.
Cybersecurity training and awareness plan - Keep your staff aware and trained in aspects related to cybersecurity.
Acceptable Use Policy (AUP) - Inform your employees of the penalties for negligent use of your company information.
Contract/employment termination - communicate to your employees the obligations that they must fulfill with the information of your company at the end of their employment.
Authorized granting of access permits
You grant the appropriate permissions to ensure that each employee only accesses the appropriate information.
Revocation of access permissions - Eliminate the permissions and user accounts of employees who end their contracts.
100% security does not exist.
Companies must be prepared to protect themselves and react to potential security incidents that could damage operational capacity or jeopardize business continuity.
They have to respond quickly and effectively to any serious contingency so that we can recover normal activity in a period of time so that our business is not compromised.
We can design a Business Contingency and Continuity Plan, where we will implement the mechanisms to be put in place in the event of a serious security incident. These mechanisms will help a company maintain the level of service within predefined limits, establish a minimum recovery period, recover the initial situation prior to the incident, analyze the results and reasons for the incident, and avoid the interruption of activities.
In the event of a disaster, having defined and being able to apply a Contingency and Business Continuity Plan will have a positive impact on your image and reputation, in addition to mitigating the financial impact and loss of critical information due to these incidents.
It is necessary to protect the main business processes through a set of tasks that allow the organization to recover after a serious incident in a period of time that does not compromise its continuity.
We have the regulatory savvy, QMS experience, and technical expertise to help mature and emerging technologies companies meet their challenges and take full advantage of their business opportunities.
We have developed and launched custom and scalable SaMD procedures and QMS practices:
If you have already created a Cyber Incident Response Plan, that is great, please make sure that you have included a step to contact and notify: