This is the first in a series of cybersecurity, privacy, and compliance articles from Ezentria to help members of the Insights Association and their executive teams better understand information security best practices and compliance requirements.
Why Data Security is Essential to the Present & Future of Insights
Marketing research and analytics firms generate a large amount of client data. The data sets may contain personally identifiable information (PII), contact information, proprietary research, and competitive analysis. This data is usually intended for your clients’ eyes only.
Protecting this data from a malicious internal or external attack is a priority and may require additional information security or privacy measures. Depending on the client, the information may be subject to specific government regulations or industry standards, which can be challenging for small market research firms with limited IT budgets.
While certification or attestation with security and privacy standards (ISO 27001, SOC 2, GDPR, CCPA, etc.) is a must for some client contracts, it may not be a requirement for your current clients. But, as your organization grows and bids on new projects, there is a good chance that your prospects will ask about your information security practices. Taking the time now to assess your existing policies, procedures, and controls will help you build a stronger information security foundation to react quickly to these future compliance requirements.
We are highlighting the Small Business Administration (SBA) approach because of its emphasis on the assessment process. Once you know what you’re protecting, you’ll be able to focus the efforts of your IT resources and better justify any required investments. Assessing your organization’s risk and defining your risk tolerance helps to prioritize your projects and select risk treatments.
The SBA also offers a valuable 30-minute on-demand cybersecurity training course for business leaders and managers in the SBA Learning Center Cyber Security for Small Businesses.
You will find that there are many free cybersecurity resources available to small businesses from government agencies (DHS|CISA, FTC, FCC, NIST, DoD, NCSA, and US-CERT). As you skim through them, you’ll see a variety of tools, resources, courses, and best practices.
Understand Common Threats
The SBA defines a few of the more common cyber-threats on their website:
There are controls that you can put in place to protect your assets from most of these, but phishing (or social engineering) is one of the more dangerous threats because the attack preys on your employees and their awareness (and emotions) to bypass those security controls.
Even with regular and thorough training programs, the best organizations still have about a 2% occurrence of successful phishing attempts. Sadly, it takes only one successful phishing attempt to impact your operations or profitability significantly.
There are many other common threats not covered by the SBA, such as Distributed Denial-of-Service (botnet), RootKit, Brute Force (Password Attack), Cross-Site Scripting, SQL Injection Attacks, Man-in-the-Middle, Zero-day Exploit, DNS Tunneling, Identity Theft, Spear Phishing, Cryptojacking, and IoT attacks. To learn more about these additional threats, just Google “What is [threat name]?”.
Assess Your Business
The SBA says, “The first step in improving your cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.” We happen to agree.
The Risk Assessment is the most important of the assessments we list below. The SBA provides more information in their training course about risk and “acceptable risk” than they do on their website.
Here are some assessments that you may consider. Some consultants may combine these techniques into a single custom assessment, but for clarity, we will keep them separate for now.
- Risk Assessment
Most security standards don’t define which risk assessment methodology you use, as long as you choose one that meets their minimum requirements. Popular frameworks include ISO 27005, OCTAVE, and NIST 800-30. The goal of the security risk assessment is to determine, “How much risk can we live with?” and how will we treat the rest.
A risk assessment will typically:
- Take an inventory of your assets
- Identify the possible threats and vulnerabilities
- Assign a value for “impact” and “likelihood” of each risk
- Plan treatment for each risk that crosses the “acceptable” threshold
- Compile the results and recommendations in a report
Common risk treatments include: mitigate (implement controls), avoid (stop the activity), transfer (share the risk), and accept. The SBA also recommends cyber insurance for risk that you would like to share.
- Vulnerability Assessment
A vulnerability assessment examines your IT assets (desktops, servers, routers, etc.) for software revisions and missed patches. The tool can be run at a specific point in time, but it is a best practice to implement a strategy or service that continually checks your infrastructure for vulnerabilities.
- Security Controls Assessment
A security controls assessment looks at the cybersecurity tools you have implemented to determine their effectiveness. Popular methodologies for a security controls assessment include ISO 27002 and CIS Top 20. The first six controls in the Top 20 are considered basic controls that all organizations should have in place.
- Policy and Governance Assessment
A policy and governance assessment examines your administrative controls. The consultant will look at the security policies you have in place and your organization’s ability to implement these policies and procedures, as written. The report will include the results of their analysis, as well as any new policy or governance recommendations.
- Vendor Risk Assessment
A vendor risk assessment looks at your supply chain and the security requirements and security policies of your suppliers, partners, and clients. This process is crucial for online transactions but also applies to the security of any data that you collect or share. Your larger partners will likely dictate the minimum security requirements for your relationship—because they have the most to lose. But that doesn’t mean that you can’t also have security requirements to protect yourself. We will have more on this topic in a future article.
Depending on the certification, some standards (like PCI DSS) also require regular penetration testing, which can be classified as a form of assessment, as well. We recommend that you do not ask your current IT team to assess their own security policies, procedures, and controls. A third party assessment will be more impartial and thorough and, in some cases, required.
Cybersecurity Best Practices
The SBA website does an excellent job of detailing these best practices, so we won’t go in-depth here. However, we can’t stress the importance of employee Cybersecurity Awareness training enough. Most of the other best practices here are for your IT team to implement, and they can easily track and monitor the tactic’s effectiveness.
- Train your employees
- Raise Awareness about Cybersecurity
- Use Antivirus Software and keep it updated
- Secure your networks
- Use strong passwords
- Implement multifactor authentication
- Back up your data
- Secure payment processing
- Control physical access
Once you implement these basic tactics, you can use the results from your assessments to determine what other security controls and best practices need to be put in place to protect the intelligence, analytics, and insights you’ve developed for your clients.
We hope this article has you thinking about your information security practices and whether your organization is cyber-ready. The SBA Cybersecurity for Small Businesses training course is a great next step; then, discuss what you learned with your team. To help you prepare for this conversation, we put together a list of 10 Things Small Business Leaders Should Confirm (.pdf). If you have any questions, need assistance, or would like an assessment, you can reach us at email@example.com. Our next post in this newsletter will be in late April. Until then, be secure.
The Role of IA: A subsidiary of the Insights Association, CIRQ (the Certification Institute for Research Quality) was established to provide assessment and certification services to market research firms seeking certification to ISO 20252 and ISO 27001. A non-profit entity, CIRQ is committed to providing timely, thorough and impartial assessments of its customers' quality management or information security management systems in regard to certification to corresponding standards.