Cybersecurity Best Practices for Community Management Companies

Cybercrime is a multimillion-dollar industry and businesses are fighting well organized, deep pocketed adversaries and need to be prepared.

Every business type collects different amounts of data. Some face more risk than others based on the type and amount of information collected.

To minimize risk of cyber incidents, we recommend community management companies prepare for cyber threats and implement the following best practices.

Cyber Policies
Having a documented cyber policy is critical for any organization, and community management companies are no exception. However, a company cannot simply create a policy and never do anything with it –company leaders must ensure all employees are familiar with the details of the policy.

A community management company’s cyber plan should address the access to and release of financial information, intellectual property, customer records and employee records. The policy should lay out who has access to sensitive data, how the data is moved, how often its updated, how its stored and the technology involved.

A community management company’s cyber policy should also clearly lay out acceptable use rules – can employees use their work devices for personal use? Can security programs be removed from these devices?

Another key component of a company’s cyber function is designating a member of the organization to implement and enforce the policies. This person should champion the organization’s cyber function, own the budget and manage the hiring process.

As the community management industry increasingly embraces hybrid work and remote work models in the wake of the COVID-19 pandemic, companies need a policy that specifically addresses remote work cyber controls.

Though a hybrid work model means that companies have less control over cybersecurity than if employees were in the office five days a week, there are precautions they can take to reduce risks.

Community management companies should consider the physical aspects of remote work that need to be laid out in the policy, such as the exclusive use of the company’s VPN when performing work duties. If employees are using their own devices, companies should consider having their staff download applications that store and protect client information.

Employee Training
Employees can make or break a company’s cyber policy. Employee adherence is essential to maintaining strong safeguards against cyber incidents.

C-suite members and high-profile partners often have their contact information prominently displayed on company websites and are active on networking sites like LinkedIn, which make them prime targets for bad actors. It is critical that these high-profile members of community management companies follow the cyber policies and set a good example for others.

Another important aspect of implementing cyber policies is training. Organizations should be consistently training employees on the cyber policies and running phishing tests to ensure employees can recognize and appropriately respond to suspicious emails. Yearly cyber response exercises should be held, too, to ensure each member of the organization understands their respective roles should an incident happen.

Responding to Cyber Incidents
If your business waits until it has been breached to pull together a cyber incident plan – you are too late.

Organizations must develop a cyber response plan before anything happens and delineate roles and responsibilities to the organization’s stakeholders. The response plan should include multiple “what if” scenarios that are practiced at least once a year.

If a cyber incident does occur, it’s important that the company meet the obligations for the state(s) in which it is operating.

Community management companies could also consider purchasing cyber insurance that covers data breaches and CEO fraud. Oftentimes, the insurance policy will also provide businesses access to cybersecurity consultants that can aid in the response if an incident does occur.

Third Party Partners
If an organization does not have the capacity to manage its cybersecurity needs it should consider partnering with a third-party consultant. When evaluating potential partners, businesses should seek out those with proven track records.

Companies should also ask to speak with other businesses who have worked with the cybersecurity companies before. Successful cyber consultants should be happy to direct businesses to current or former clients that can give positive testimonials.

Another way an organization can vet potential cybersecurity partners is to come up with a list of the company’s need or issues and ask the vendor how they would solve or address those problems. That way businesses can get a sense of what a possible partnership with the company would look like.

Following the above best practices will help community management companies protect sensitive client data and reduce the risk of experiencing a significant cyber incident.