• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Random Dynamic Resources Ltd

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
MENUMENU
  • Home
  • About Us
    • About Us

      Random Dynamic Resources is a frontline market research company providing field research services across Africa. We develop field research tools that enhance productivity and optimize market research values via the use of up to date consumer– oriented technology, in–built strict quality control … Continue reading... about About Us

  • Methodologies
    • Quantitative
    • Qualitative
    • Quality Strategy
    • Data Management and Analytics
  • Our Reach
    • Our Reach

      We have explored most urban and rural communities across the Sub Saharan Africa with diverse local languages and rich cultures: we make use of local staff in each country we fieldwork to bring about the best approach. In Extreme difficult environment, we strive for improvement while learning new … Continue reading... about Our Reach

  • Resources
    • Articles
    • Blogs
    • Webinars
    • Related Links
  • Careers
    • Careers

      If working with a team of highly successful people who are making a positive difference in our business and our community ranks topmost in your mind, look no further as Random Dynamic Resources Ltd. offers you an exceptional career opportunity to achieve great things! At Random Dynamic Resources … Continue reading... about Careers

      • Job Openings
      • Submit Resume
      • Make Enquiry
  • Focus Group Facility
    • Viewing Facility
    • Live Streaming
  • Contact Us

Protecting Your Customer Data: Cybersecurity Basics for Insights Providers

This is the first in a series of cybersecurity, privacy, and compliance articles from Ezentria to help members of the Insights Association and their executive teams better understand information security best practices and compliance requirements. 

Why Data Security is Essential to the Present & Future of Insights 
Marketing research and analytics firms generate a large amount of client data. The data sets may contain personally identifiable information (PII), contact information, proprietary research, and competitive analysis. This data is usually intended for your clients’ eyes only.

Protecting this data from a malicious internal or external attack is a priority and may require additional information security or privacy measures. Depending on the client, the information may be subject to specific government regulations or industry standards, which can be challenging for small market research firms with limited IT budgets.

While certification or attestation with security and privacy standards (ISO 27001, SOC 2, GDPR, CCPA, etc.) is a must for some client contracts, it may not be a requirement for your current clients. But, as your organization grows and bids on new projects, there is a good chance that your prospects will ask about your information security practices. Taking the time now to assess your existing policies, procedures, and controls will help you build a stronger information security foundation to react quickly to these future compliance requirements.

Cybersecurity Basics
We are highlighting the Small Business Administration (SBA) approach because of its emphasis on the assessment process. Once you know what you’re protecting, you’ll be able to focus the efforts of your IT resources and better justify any required investments. Assessing your organization’s risk and defining your risk tolerance helps to prioritize your projects and select risk treatments.

The SBA also offers a valuable 30-minute on-demand cybersecurity training course for business leaders and managers in the SBA Learning Center Cyber Security for Small Businesses.

You will find that there are many free cybersecurity resources available to small businesses from government agencies (DHS|CISA, FTC, FCC, NIST, DoD, NCSA, and US-CERT). As you skim through them, you’ll see a variety of tools, resources, courses, and best practices.

Understand Common Threats
The SBA defines a few of the more common cyber-threats on their website:

  • Malware
  • Viruses
  • Ransomware
  • Phishing

There are controls that you can put in place to protect your assets from most of these, but phishing (or social engineering) is one of the more dangerous threats because the attack preys on your employees and their awareness (and emotions) to bypass those security controls.

Even with regular and thorough training programs, the best organizations still have about a 2% occurrence of successful phishing attempts. Sadly, it takes only one successful phishing attempt to impact your operations or profitability significantly.

There are many other common threats not covered by the SBA, such as Distributed Denial-of-Service (botnet), RootKit, Brute Force (Password Attack), Cross-Site Scripting, SQL Injection Attacks, Man-in-the-Middle, Zero-day Exploit, DNS Tunneling, Identity Theft, Spear Phishing, Cryptojacking, and IoT attacks. To learn more about these additional threats, just Google “What is [threat name]?”.

Assess Your Business
The SBA says, “The first step in improving your cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.” We happen to agree.

The Risk Assessment is the most important of the assessments we list below. The SBA provides more information in their training course about risk and “acceptable risk” than they do on their website.

Here are some assessments that you may consider. Some consultants may combine these techniques into a single custom assessment, but for clarity, we will keep them separate for now.

  1. Risk Assessment

Most security standards don’t define which risk assessment methodology you use, as long as you choose one that meets their minimum requirements. Popular frameworks include ISO 27005, OCTAVE, and NIST 800-30. The goal of the security risk assessment is to determine, “How much risk can we live with?” and how will we treat the rest.

A risk assessment will typically:

  • Take an inventory of your assets
  • Identify the possible threats and vulnerabilities
  • Assign a value for “impact” and “likelihood” of each risk
  • Plan treatment for each risk that crosses the “acceptable” threshold
  • Compile the results and recommendations in a report

Common risk treatments include: mitigate (implement controls), avoid (stop the activity), transfer (share the risk), and accept. The SBA also recommends cyber insurance for risk that you would like to share.

  1. Vulnerability Assessment

A vulnerability assessment examines your IT assets (desktops, servers, routers, etc.) for software revisions and missed patches. The tool can be run at a specific point in time, but it is a best practice to implement a strategy or service that continually checks your infrastructure for vulnerabilities.

  1. Security Controls Assessment

A security controls assessment looks at the cybersecurity tools you have implemented to determine their effectiveness. Popular methodologies for a security controls assessment include ISO 27002 and CIS Top 20. The first six controls in the Top 20 are considered basic controls that all organizations should have in place.

  1. Policy and Governance Assessment

A policy and governance assessment examines your administrative controls. The consultant will look at the security policies you have in place and your organization’s ability to implement these policies and procedures, as written. The report will include the results of their analysis, as well as any new policy or governance recommendations.

  1. Vendor Risk Assessment

A vendor risk assessment looks at your supply chain and the security requirements and security policies of your suppliers, partners, and clients. This process is crucial for online transactions but also applies to the security of any data that you collect or share. Your larger partners will likely dictate the minimum security requirements for your relationship—because they have the most to lose. But that doesn’t mean that you can’t also have security requirements to protect yourself. We will have more on this topic in a future article.

Depending on the certification, some standards (like PCI DSS) also require regular penetration testing, which can be classified as a form of assessment, as well. We recommend that you do not ask your current IT team to assess their own security policies, procedures, and controls. A third party assessment will be more impartial and thorough and, in some cases, required.

Cybersecurity Best Practices
The SBA website does an excellent job of detailing these best practices, so we won’t go in-depth here. However, we can’t stress the importance of employee Cybersecurity Awareness training enough. Most of the other best practices here are for your IT team to implement, and they can easily track and monitor the tactic’s effectiveness.

  1. Train your employees
  2. Raise Awareness about Cybersecurity
  3. Use Antivirus Software and keep it updated
  4. Secure your networks
  5. Use strong passwords
  6. Implement multifactor authentication
  7. Back up your data
  8. Secure payment processing
  9. Control physical access

Once you implement these basic tactics, you can use the results from your assessments to determine what other security controls and best practices need to be put in place to protect the intelligence, analytics, and insights you’ve developed for your clients.

Next Steps
We hope this article has you thinking about your information security practices and whether your organization is cyber-ready. The SBA Cybersecurity for Small Businesses training course is a great next step; then, discuss what you learned with your team. To help you prepare for this conversation, we put together a list of 10 Things Small Business Leaders Should Confirm (.pdf). If you have any questions, need assistance, or would like an assessment, you can reach us at ia@ezentria.com. Our next post in this newsletter will be in late April. Until then, be secure.

The Role of IA: A subsidiary of the Insights Association, CIRQ (the Certification Institute for Research Quality) was established to provide assessment and certification services to market research firms seeking certification to ISO 20252 and ISO 27001. A non-profit entity, CIRQ is committed to providing timely, thorough and impartial assessments of its customers’ quality management or information security management systems in regard to certification to corresponding standards.

 

NewsBusinessDave Christiansen

Share to: LinkedIn Twitter Google Plus Facebook 

Tags

  • Ezentria
  • ISO 27001
  • ISO 27005
  • Small Business
  • cybersecurity
  • information security
  • privacy
  • cyber-threats
  • security assessment
  • risk assessment
  • best practices

February 24, 2020 By art.flanagan

RDR

Random Dynamic Resources Ltd

Some of Our Clients

  • cola
  • visioncritical
  • dialego
  • tns
  • ask-afrika
  • airtel
  • mmr
  • samsung
  • nexim
  • ifis
  • nielsen
  • clearpath
  • gfk
  • ipsos
  • pepsi
  • mindlab

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

News Update

  • E-Tabs Launches Enterprise Cloud

    January 17, 2022

  • Letter from WAPOR President (January 2022)

    January 11, 2022

  • IPC Q&A: Tim Kunkel of Suzy

    January 11, 2022

  • Aksel Bedikyan Named Vice President of Leger Analytics

    January 11, 2022

  • In Memoriam: Naomi Henderson, Founder & CEO of RIVA

    January 11, 2022

  • InSites Consulting Acquires Gongos, Inc.

    January 11, 2022

  • New Director Robert Santos Takes Over U.S. Census Bureau

    January 07, 2022

  • Opposing Expanded FTC Enforcement Power in the Build Back Better Act

    December 23, 2021

  • Labor Market Competition and Non-Compete Agreements

    December 22, 2021

  • IA Announces 2022 Events Calendar

    December 20, 2021

  • Smarty Pants Adds Davison to Team

    December 20, 2021

  • Dynata Acquires Optimus Analytics

    December 15, 2021

  • CIRQ Announces ISO 27001 Certification of P\S\L Group

    December 15, 2021

  • Resolutions and Revolutions for the New Year

    December 15, 2021

  • CIRQ Announces ISO 27001 Certification of P\S\L Group

    December 09, 2021



read more...

RDR in just 2 minutes

https://www.youtube.com/watch?v=u1o9Vt934FA&sns=fb

Stay informed

The Core of Market Research In Africa

https://www.youtube.com/watch?v=4Npc6UbUg4s

Footer

Key Sectors

  • ICT & Telecom
  • FMCG
  • Automobile
  • Manufacturing
  • Pharmaceutical
  • Financial Services
  • International Development and social Research

Our Expertise

  • Qualitative
  • Quantitative

Get In Touch

  • Contact Us
  • Join Random Dynamic Resources

We are corporate member of

  • esomar1
  • insight-association
  • pamro
  • World Association for Public Opinion Research
  • American-Association-for-Public-Opinion-Research
  • Nigeria-Marketing-Research-Association
  • International Trade Council

Copyright © 2022|. Random Dynamic Resources Ltd. All rights reserved.