A strong IT foundation is not just a necessity – it is a game-changer

Data security is not just a buzzword, it is a vital part of keeping modern businesses running smoothly. We have all seen real-world examples where data breaches caused massive headaches for companies that did not take their security seriously. But do not worry, we have got some positive news to balance that out! When data security is done right, it brings a ton of benefits.

Data security strategies protect sensitive information, keep customers happy, and help you stay on the right side of regulations. For those of you in the vision industry, prioritizing data security means you are not just safeguarding your operations and reputation – you are also boosting your bottom line, and maybe even seeing a nice return on investment. Our objective is to cover key security objectives:

• Protect digital assets: safeguard your valuable data and infrastructure
• Ensure business continuity: maintain operations even in challenging circumstances
• Mitigate risks: identify and address potential threats proactively
• Foster trusts: build confidence with clients and partners through strong security measures to protect your brand

Importance of data security

In the near future, we will be seeing a big change with the new reporting requirements called standard contractual clauses (SCC). Businesses will need to publicly report any incidents they have had, which is going to shake things up. As someone who reviews vendors for clients, one of the first things we look at is who you are as a company. How seriously does a company take security, especially when exchanging sensitive data? This is a question that is going to come up more and more often from those who want to do business with us. Therefore, it is crucial to be prepared and make sure your security measures are rock solid. With the following statements in mind someone might take cyber security more seriously:

Data as lifeblood: Think of your data as the lifeblood of your business. Protecting it is not just about avoiding threats but ensuring your business thrives.

Immediate consequences: Financial losses, operational disruptions, and potential legal liabilities arise – and soon fees!

Long-term impact: Reputational damage affects customer trust and business relationships. Imagine a world where your customers trust you implicitly because they know their data is safe with you.

Recovery and rebuilding: Significant time and resources are required to recover from the breach and rebuild trust.

“Everybody has a plan until they get punched in the face”

That is why regular security assessments are so important. We need to start viewing strong data security as a competitive advantage. It is something that can set you apart from competitors who do not have a solid plan in place. By securing your data, you are not just protecting information – you are safeguarding your business’s future. With the following 10-step program, you – yes, you can! – create your very own security strategy.

And for all that are not IT specialists it may be worth emphasizing that the following instructions are more about communications than IT. Everything leans heavily on communication. Those plans should show how important steps can save and grow your business. The following plans are not in a particular order, so we recommend working with your managed service provide (MSP) and if you do not have one Dataprise would love to help. You can also form a steering committee with your IT staff and other stakeholders. Start with the low-hanging fruit to build momentum or tackle what matters most for protecting your brand.

1. BCP is a Business Continuity plan

Business continuity is critical to protect your revenue and your reputation. If a system goes down, do not get caught off-guard. Maybe you shift to manual, paper-based processes … maybe you begin to use a temporary solution. However, it is important to have a well-documented and well-communicated plan to keep your business moving and make sure your staff and your IT provider are aware of what to do in these circumstances. There is no point in having a plan if you do not communicate it and test it out from time to time. A continuity plan is your business’s safety net. It ensures you are prepared for anything.

2. Risk management plan

Risk mitigation strategies: Develop strategies to reduce or eliminate the impact of each identified risk. This might include contingency plans, preventive measures, and outlining response actions.

Risk monitoring and review: Continuously monitor risks and the effectiveness of mitigation strategies. Regularly review and update the risk management plan to address new risks or changes in existing risks.

Roles and responsibilities: Assign clear responsibilities for risk management activities to specific team members or departments.

Risk communications plan: Establish a communication plan to ensure that all stakeholders are informed about risks and the measures in place to manage them.

To make this easy, start with a simple risk register. It does not have to be complicated – just list everything you have that could be hacked, from apps and files to Zoom accounts, Adobe accounts, even copying machines. If it touches the internet, it goes on the list (see example in figure 1).

Next, identify your “reds” – the area’s most at risk – and figure out what it will take to get them down to “yellow”. Everything on the left will dictate your probability likelihood and the top row is the impact it would have.

3. Disaster recovery plan

A disaster recovery plan is not just about survival – it is about bouncing back stronger. In the face of disaster, your recovery plan is your secret weapon. A disaster recovery planning is what allows you to restore systems quickly when they go down, but not all systems are equally important.

It starts with assessing “business impact”. Think of your business, and which systems and applications you rely on the most. If one of those systems goes down, do you lose revenue? Does it sink productivity for a day? Could you be in trouble if critical files are lost forever? Make sure you have a documented plan for what you and your IT service providers need to do to restore any critical systems, so that way your business does not suffer. Talk to your provider about taking backups and testing backups. And in all of this, remember communication is key!

4. Vendor management plan

Choosing the right partners can make or break your business. Rigorous vendor audits ensure you are in good hands. Asking yourself: Who is interacting with your data? Remember the Target example from our first webinar? A refrigeration company hired by Target got hacked, and that breach ended up compromising Target’s systems right during the Christmas season, shutting down their ability to process credit cards. It is a stark reminder of how crucial it is to know who is talking to your data and where that data is going. Therefore, a vendor management plan with these categories will help you have a record of who is all in your wallet.

One example of how to make that job one step easier is using AI. We have a pre-filled chat in ChaptGPT that says “I am looking into doing business with a vendor. From now on, every business name gets paste into this chat. Then we can ask the AI to tell whether … 

• this is a reputable company
• major companies use the vendor
• they are U.S. based
• the founders are U.S. based
• their data sit in the U.S.
• they had any security incidents in the last five years
• they have a good Glassdoor rating
• ChatGPT can tell more about their competition
• ChatGPT knows their rating from other consumers
• they fit for my industry

Now, you can type the name of the business and just like that you get all your answers that would have taken hours to google! You need this in your playbook for both value and recovery planning. Choosing the right partners can make or break your business. Rigorous vendor audits ensure you are in good hands and built on reliability and trustworthiness.

5. Compliance plan

This responsibility ultimately falls on you when it comes to HIPAA compliance, PCI compliance, or any other regulations your organization is subject to. It is crucial to ensure that your internal security officer is staying on top of these requirements and working with IT or your tech consultants. 

Make sure the tools you are using enable you to maintain HIPAA compliance. HR should also have clear policies and procedures in place to communicate this effectively to employees. Everything we have discussed aligns with HIPAA compliance. Please keep in mind, this is a serious matter. If your organizations fall under the guidelines then these measures should already be in place.

6. Physical security plan

Physical access control: Implementing strict physical access controls to secure sensitive areas and data centers. This includes key card systems, biometric scanners, and security personnel to monitor entry points.

External penetration testing: Engaging outside vendors to conduct regular penetration tests. These assessments help identify vulnerabilities in physical security measures and provide valuable insights for improvement.

Equipment refresh: Maintaining a schedule for refreshing security equipment. This ensures that all physical security systems are up-to-date and capable of addressing evolving threats.

Automated updates: Implementing automated update systems for security software and firmware. This helps maintain the latest security patches and features without manual intervention.

Backup systems: Establishing robust backup systems to protect critical data. This includes off-site storage and regular testing of backup and recovery processes to ensure business continuity.

7. Incident response plan

Establish the steps from figure 2 to ensure you have a valid incident response plan. This figure is important for the IT-team und the companies playbook. This is what you follow in the event of an emergency. Start a conversation with your IT-team about that and ask: “Where do we stand when it comes to a response plan?” (Keep in mind, it might not look exactly like this.)

If you have a plan like this ready and detailed for a bad day, it will help you see another day. Meanwhile, your competitors who do not have this in place might not be so lucky – they could stumble or fall behind. One of the key factors that will help you outlast your competition is how well you are prepared for a setback. Are you like an F1 race team pit crew, ready to spring into action? Or are you scrambling, trying to get quotes from different mechanics, hoping to get on their calendar as soon as possible?

8. Employee training plan

How many times have you or your staff received emails or texts that look suspicious? Have any of you taken the bait? It happens all the time. Your employees are your first line of defense. Equip them with the knowledge to protect your business. For example, with regular, engaging cybersecurity training sessions. As an informed team is your strongest asset.

9. Active monitoring plan

Using advanced threat detection systems keeps you one step ahead of threats and keeps your business running smoothly. Keyword: Pentest. It enables early detection of potential security issues, allows for immediate response to emerging threats and helps maintain continuous security awareness.

Dataprise has a program where we actively monitor threats within your on-premise servers and/or cloud accounts in Azure or the likes. The features are active antivirus agents, proactive threat hunting and correlation, automated threat intelligence feeds, user and entity behavior analytics (AI), KnowB4 campaigns that give you reports on who we should sit down with and go over better security hygiene and more. 

10. Continuous improvement plan

Finally, keep on keeping on! Keep reviewing the plans, put them through the ringers, make adjustments, and do this annually, since a lot of things change from year to year. The hard work is up front, after that, it is all just continuous improvement from there.

Remember, in the digital age, a strong IT foundation is not just a necessity­ – it is a game-changer. With technologies like AI, we are headed to a new world unlike the one we know now.

The IT-expert Nabil Gharbieh currently leads The Vision Council´s webinar series about cyber security strategies. As an Information Technology Advisor at Dataprise, Nabil provides quality management services to clients across various industries and sectors. With over 17 years of experience in IT, he has developed expertise in program management, technical account management, customer success, sales, and technology advisory. Nabil is certified in Microsoft Technologies, AI, Health Care IT Security, ITIL, Google Cloud, and Apple/Mac Integration.

Tara Donohue Bartels, MA, PMP, is a seasoned leader and cybersecurity expert who currently serves as Manager of Advisory Services at Dataprise. With a robust academic foundation and a PMP certification under her belt, Tara blends technical acumen with strategic insight to help businesses navigate complex IT and cybersecurity challenges. She is known for her proactive approach in advising on risk management, compliance, and innovative technology solutions — ensuring that organizations not only protect their assets but also seize new opportunities in the digital landscape.