Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule. But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we're offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let's cut straight to the chase:
Infosec Training Posts
Before we get into the interplay between vendor risk assessment and security awareness training, let's get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It's a smart move either way.
However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of "we should probably be doing some security awareness training" -- and we certainly empathize with founders in that situation.
If you are a Havoc Shield client, we hope you've rolled out an Incident Response Plan in the Policy Manager section of the platform. Whether you accept our battle-tested templates outright, or you choose to make some surgical modifications, it's important to get the plan into the hands of those who will participate in it. You know the drill: planning for the worst, hoping for the best, as they say. If you aren't a Havoc Shield client, we hope you've rolled out a similarly battle-tested plan.
With your plan in the hands of your team members, now is also a good time to talk about the hidden connection between Incident Response Plans and Talent Acquisition. Especially if you are at the type of company that we typically serve - angel-backed, venture-backed, and growth companies.
We learn as kids not to talk to strangers, but as adults, we sometimes forget this lesson when we engage with emails. That's why it is so crucial to put email security best practices in place in order to protect your data, customers and company as a whole.
Phishing training requires a holistic approach that is often overlooked by companies racing to "check the box" in terms of offering training on this increasingly important topic. A big mistake would be to treat phishing training the way that companies treat many other kinds of training. We've heard of far too many company training events that involve a manager speaking for 30 minutes, with slides in the background, followed by everyone going back to what they were doing.
If that approach sounds a bit like what your company does for phishing training, please read on.