Small business cyber security consulting
As a New Jersey company, you have a unique set of cybersecurity demands placed on your operation. The state is home to major financial institutions, healthcare providers, and critical infrastructure companies that are constant cyber-attack targets. If your business has one of these companies as a customer, you’ve undoubtedly received a request you provide evidence of your cyber security protections. These companies understand if a hacker can crack your defenses, it’s a straight beeline to theirs. Garden State Backup provides small business cyber security consulting, and cyber security consulting services to medium and large corporations as well.
In some respects, New Jersey has been on the leading edge of cybersecurity initiatives. In 2006, Trenton passed the New Jersey Data Breach Notification Law (Stat. § 56:11-44) that requires all who maintain personal information about New Jersey residents to notify those residents if their information is compromised in a data breach.
While the law is good for New Jersey residents, it’s a severe burden for the companies they do business with. If you collect any personal information from your Garden State customers and what business doesn’t, you must protect it. No matter how innocent or accidental, a data breach must be reported in writing to the affected individuals. Any failure to provide notice comes with stiff penalties of $1,000 per person you failed to notify. Good grief.
To be clear, a data breach is any unauthorized access to your client’s information. It could be something as bold as hackers breaking into your systems. But it could also be simpler, such as a data leak – like someone losing their laptop that had customer information. Or an employee loses or misplaces a backup hard drive or tape. Or someone gains unauthorized access to customer information on your website.
We can help you protect your data. We can also help you button up and protect your organization. Who wants hackers wandering around their private systems, reading their most sensitive communications, accessing bank accounts, and potentially even stealing assets?
There are several types of specific consulting engagements we’re asked to provide. Here’s a list of the five most common:
- Data System Review
- Creating System Security Plans (SSP)
- Identify and remediate security gaps
- Respond to customer cybersecurity audits
- CMMC Level 2 Assessments (this one is for DoD contractors only)
Data System Review
A Data System Review is the most basic type of consulting, really the meat-and-potatoes of all cyber security. Put simply, it’s a comprehensive review of an organization’s current data systems. It asks and answers the following questions:
- What kind of sensitive data, if any, does the organization hold?
- Where is it kept?
- How is it protected today?
- With who, if any, vendors is this information shared?
- What are the existing defenses in place to protect the information?
While the review will focus on information technology questions, it’s not limited to just bits and bytes. Often, an organization will protect its information with legal terms and conditions, such as with a vendor. Protection can include physical protection, such as video cameras and security systems. Organizations can also protect their systems with formal staff procedures related to how equipment is shared and how they keep track of where it is. The bottom line is it’s a common sense review of the organization’s risks and how it protects itself today.
The deliverable is a written report identifying “the good, the bad, and the ugly.” And for the ugly, it provides specific guidance on practical steps the organization can take to address them.
Creating System Security Plans
Put simply, a System Security Plan (SSP) is a set of rules that helps keep computers and other devices safe. It tells people allowed to use the devices, what they are allowed to do with them, and how they are supposed to care for them. The key bit to an SSP is that it’s in writing and shared with everyone who comes in contact with sensitive data. It eliminates the assumption that people “just know” the rules and explains them in plain language.
An SSP is also a statement to employees, customers, and vendors that your organization takes data security seriously. It’s the most unambiguous indication of your organization’s trustworthiness. While no one is perfect, and breaches happen, it shows they didn’t happen due to carelessness – that the organization is committed to taking appropriate steps to protect the data in its possession.
Identify and remediate security gaps.
It should be no surprise, but all New Jersey companies have security gaps. Trying to have perfect security would cost more than the GDP of the State. Perfection is never the goal of cyber security. The practical goal is to know the gaps in your security, fix the most egregious, and create a plan to address the remaining weaknesses over time. As Sun Tzu said, “If you know neither the enemy nor yourself, you will succumb in every battle.”
This means cataloging as many of your security gaps as possible. Once identified, the gaps can be classified as high severity, medium impact, and low risk. With this information, it’s simple to focus on the most pressing issues and avoid chasing those low-risk issues that provide the most minor benefit.
Respond to customer cyber security audits.
This is the most challenging consulting engagement we’re asked to fulfill. It usually happens when a company receives a lengthy series of cyber security questions from a key customer account. The customer is tightening their vendor relationship and can only do business with others who can satisfy a long list of requirements. The threat of lost revenue and unknown costs usually induces mild panic in the mind of the company that receives them.
Often, the customer themselves is under pressure from their customers, which is why they are tightening their vendor relationships. They recognize that not everyone is perfect, but they are forced to implement changes. We can help our New Jersey customers quickly formulate a strategy to respond.
The response will be a fact-based assertion of current compliance, with a concrete commitment to improving. So long as the response provides reasonable time-based assurances and conveys the appropriate knowledge of accomplishing the pledge, most customers will accept the assurance rather than search for a new vendor.
CMMC Level 2 Assessments (for DoD contractors only)
New Jersey is home to several thousand businesses in the DoD’s Defense Industrial Base. These companies must perform informal annual assessments and formal triannual assessments of their information systems (DFARS 252.204-7019). We are CMMC Registered Practitioners specifically authorized to participate in these assessments.
Small Business Cyber Security Consulting
These five consulting engagements are only the most common. If you’re a New Jersey company with other data protection consulting needs, please call us. Garden State Backup has been providing small business cyber security consulting services for NJ companies since 1994. We’d be pleased to assist you with your unique requirements.