The cars we drive to work every day run primarily on computers that collect thousands of data points. Same goes for the factory that manufactured them and the company that designed and sold them. This evolution makes cybersecurity vital at every step in the supply chain. We know manufacturing is one of the most hacked industries. We know hackers target individual cars. We’ve seen cybersecurity best practices from Auto-ISAC and NHTSA. With that, we wanted to provide companies with a list of concrete steps to consider to help minimize the risk of, and prepare for, cyber-intrusions.
Below is our list of 17 measures every company should consider to reduce the risk of cyber-intrusions.
- Conduct internal compliance and risk assessments, to determine your organization’s vulnerability to cyber-attacks.
- Develop and implement corporate policies and procedures required for compliance with federal and state privacy and security laws.
- Develop quick-response teams to handle potential cyber-attacks, using pre-formulated decision trees and procedures so that you don’t have to develop them while under the fire of an ongoing attack.
- Establish secure data backup protocols to ensure that, even if your company is under attack, important company records are secure.
- Establish protocols to deal with common forms of cyber-attacks (denial of service, etc.).
- Line up outside experts, if necessary based upon the risk profile of your company, to swing into action if company processes are overwhelmed by a cyber-attack.
- Perform periodic audits of cybersecurity practices against industry norms, accepted best practices, and the risk profile of your organization.
- Implement information security best practices, reflect them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
- Make certain the CEO and executive leadership are properly informed about the cyber risks to your company and that they’re involved in oversight and the decision-making process related both to cyber-attacks and proactive cybersecurity measures.
- Review funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
- Collect only that personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
- Review cybersecurity programs to ensure they apply industry standards and best practices.
- Coordinate cyber incident response planning across the entire company.
- Store sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
- Conduct appropriate data security due diligence on third-party service providers with access to personal information and sensitive business information, and require them to enter into agreements that they are implementing robust data security procedures, follow up to ensure these requirements are in fact implemented.
- Assess ways in which your company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
- Perform companywide training, tailored to the personnel at issue, to ensure the importance of adherence to all electronic security measures are followed.
This list was generated as part of a Legal News: Cybersecurity newsletter by Greg Husisian, Chanley Howell and Jacob Heller titled, “Cybersecurity and the New Trump Administration: Your Top Ten Questions Answered.” Click here for the original publication.