The recent data breach at Sony Pictures has been grabbing headlines for the past few days and drawing lots of attention to cybersecurity in the corporate world. While your company is exceedingly unlikely to be the target of a nation-state directed cyber-attack, you face numerous other threats on a daily basis.

Just the other day, one of my colleagues heard about a ransomware attack on a neighboring small business. They ended up shelling out over $50,000 to criminals just to get their data back. That’s a pretty scary story to hear in an elevator. The sad truth is they were likely hit at random with malicious software and their systems were compromised because best practices weren’t followed.

Scared yet? Here are three things you should be asking the CIO at the next meeting:

  1. How is our network protected?
    You should have some understanding of the overall plan to protect your data. Your IT staff needs to have a plan for patching everything on the network, replacing end-of-life equipment, segmenting sensitive components like your Point of sale system, and encrypting confidential data. If that can’t be explained in plain English and tied to an understanding of how your business operates, you’re in trouble.

    Protection also includes having good backups – being able to restore from a known good backup can overcome threats like our ransomware example above.
  2. What training are we giving to end users?
    User training around best practices is one of the most effective means to prevent data breaches and to identify them quickly when they occur. Your security is only as good as your most novice user – the one who clicks on every link in their inbox, forwards chain emails, never changes their passwords, and downloads every “free” program known to mankind. Think about them when assessing how secure you are. At the same time, delivering that training in an effective way is important. Do you even have a platform for just in time training and IT policy management?
  3. Where is the written documentation?
    You wouldn’t buy a car without an owner’s manual but there are plenty of networks out there with no documentation. In a crisis situation, you need that information readily available and not stuck in the heads of your staff. Furthermore, if you have assets deployed where the responsible person has moved on or forgotten how it’s configured, that’s a major vulnerability just waiting to happen. Your IT department should be audit-ready all the time and know exactly where to pull references when needed.

Bottom line – North Korean hackers probably aren’t going to ever attack you, but if you’re connected to the internet, your business is at risk. Simple best practices can reduce your exposure to threats. If your IT department isn’t following and enforcing those best practices, then you should be worried.