The first step in any process is often the hardest. Realizing that you need to take action is just the beginning, deciding what action to take is another matter. Some companies build their cybersecurity into their organization right from the start, others realize later down the line that they need some kind of data security and risk management program to protect the data they have in-house or to attain a security certification requested by a customer. Whether you are a small company or a start-up the steps you need to take are similar and there’s no time to waste in getting started.
Small businesses are under attack by cyber criminals every day and just because we don’t hear about it as often as the multimillion dollar company breaches, there is still a significant threat. In 2019, 28% of cyber attacks focused on small businesses, according to a Verizon report. A January 2020 report also showed that 43% of SMBs lacked any type of cybersecurity defense plans. This is a dangerous place to be when small organizations (those with fewer than 500 employees) spend an average of $7.68 million per incident. The COVID-19 pandemic has financially affected many start-ups and small businesses but that shouldn’t distract from the need for a cybersecurity program. In fact, a bi-product of a robust cybersecurity program and security certification is that companies that invest in security are almost always better run in general as they are forced to think about the processes that support their operation.
And don’t be shocked when your customers suddenly demand a security certification. We often hear from customers that, in the eleventh hour of a contract negotiation, the customer drops in a security addendum. That is not the point at which you want to discover you don’t even have the basics in place.
The good news is that building a cybersecurity program is easier to do today than it has ever been. Tools are available that make it easy to build, operate and showcase security programs and these tools make independent audits simpler too.
“Building a security program from scratch is extremely overwhelming. …. MyVCM breaks down the steps into manageable tasks and then gives you the tools you need to maintain the program. I tell the system what training and policies apply to which employees and the system does the rest. My team gets reminders for actions and I can pull reports at any time.” - Facilities Security Officer, Information and Technology Services company
What data should I worry about?
For many organizations the best way to figure out what sensitive information you hold is to run a risk assessment. In fact, many regulations require that you run a risk assessment if:
If you handle sensitive data such as Personally Identifiable Information (PII) it is likely required by law. Even if you operate in an ‘unregulated’ industry fair trading rules may still apply related to any claims you make to your customers about protecting their data.
You’re involved in credit card processing, because you fall under PCI requirements for an annual risk assessment.
Your company touches ePHI, because you must comply with the HIPAA Security Rule.
You touch personal data of any kind from people who live in the European Union; whether they’re EU citizens or not, GDPR’s requirement applies.
You touch personal data of any kind from people who live in California, CCPA applies.
This list will only grow as new regulations come into force. Most notably, more US states are following the lead of California with state privacy regulations. The cost of non-compliance can be considerable. CCPA fines run at $2,500 per violation and $7,500 if the violation is determined to be intentional. That is cost per violation, per consumer so they can quickly add up.
“MyVCM has allowed our small organization to implement a solid compliance program starting as early as 10 employees, and now scaling to 30-40 individuals tracked and many systems and assets. I assume MyVCM will be able to cover us as we scale to 50-100 or more individuals as well.” - CTO, Hospital and healthcare organization
What areas should I focus on when building a security program?
When looking for a platform to help you build your cybersecurity program here are 6 main areas to consider.
1. Simplified Policy & Procedure Templates Make sure the platform you choose provides simplified policy and procedure templates. If you are at a more advanced stage of your cybersecurity journey you may wish to look for a platform that offers more complex templates but if you’re just starting out, start with basics.
2. Training There should be basic security training and assessment material available on the platform. One of the biggest issues for organizations in the area of cybersecurity is employee awareness. By encouraging a culture of security you can educate your employees on the dangers of phishing and other cyber attacks. You can train employees on the issues around password security and restricted access to customer information.
3. An easy to use platform Find a platform that has an easy to use interface. Make it available to the whole organization in order to spread the culture of security within your company. Ensure there are individual and company dashboards available. The Ostendio MyVCM platform comes with straightforward, visually appealing dashboards that make it easy to see at a glance how you are performing as an individual and as an organization.
4. Customer Support Find a platform with a Customer Success team you can trust. As we mentioned in a previous blog post, an exceptional Customer Success team which includes experts on the platform can make your implementation a success. Ostendio Customer Success offers different levels of customer support including email and phone support. When you first start using the Ostendio MyVCM platform you can get started on your own right away and you can also take advantage of training offered by our Customer Success team.
5. Is Professional Services help available? Ostendio has a team of Professional Services experts who are available to help establish a security program or to offer additional support as necessary. Don’t let a security audit distract from your current business focus. If you need additional, trained support, Ostendio Professional Services can help get you started with your program or through a complex audit.
6. Can the platform grow with your business? You might start off small but many businesses will continue to grow and with that expansion you will need additional features on your security platform. Ostendio MyVCM can grow with your business and help you as you expand your security certifications. The MyVCM CrossWalk capability, for example, helps you use the information you have collected for one certification and apply that to other certifications saving you time and money. Many companies find that as they grow they need additional certifications and MyVCM CrossWalk makes this process more straightforward.
Your company will need to encourage a culture of security which involves all employees and inspires them to follow standards that are set out in your policies and procedures. As we have seen in many recent data breaches, employees are often the weakest link due to the increase in sophistication of phishing attacks and other cyber attacks, so it is essential that your whole organization is onboard.
Where should I start?
Ostendio offers its customers different services based on maturity. These are Starting - for those at the beginning of the journey, Developing - for those who already have a program in place but need to negotiate an external audit, and Optimizing - for more mature organizations simply looking for a way to operate their security program in a more efficient and cost effective manner.
As a small organization or start-up the Ostendio MyVCM Standard plan may best suit your needs. Full pricing information is available on our website. The Ostendio MyVCM platform offers flexible pricing to suit your needs and helps you save money when selecting an auditor with the MyVCM Auditor Connect feature.
Ostendio has over 7 years of experience helping organizations with their security and risk management programs. The Ostendio MyVCM platform helps organizations build, operate and showcase their compliance programs. Our Professional Services team is a group of industry experts who are ready to help customers as they implement their security programs. If you need additional help, engaging our Professional Services team is the perfect solution to supplementing your organization’s compliance team when you are setting up your security program for the first time or preparing for an audit. If you are considering an audit such as SOC2, HITRUST, FedRAMP or others, speak to Ostendio and learn more about how the Ostendio MyVCM platform can help your business.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
What do customers say?
Read real reviews from Ostendio MyVCM customers on the Capterra web site.