Payment Card Industry (PCI) compliance means a business must adhere to a set of guidelines created by the PCI Standards Council. These requirements will vary for each business based on data stored, technology used, and size of business. Whether your organization is based in Dayton, or another Midwest area, the general guidelines for PCI compliance include:

• Building and maintaining a secure network
• Protecting cardholder data
• Maintaining a vulnerability management program
• Implementation of strong access control measures
• Regularly monitoring and testing of networks
• Maintaining an Information Security Policy

Ohio’s Chapter 1354: Businesses Maintaining Recognized Cybersecurity Programs is a safe harbor to protect businesses from lawsuits due to a data breach. Businesses may qualify by satisfying the requirements listed in Chapter 1354.02. These require your business to “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework”.

Whether your organization is based in Dayton, other Ohio areas, or anywhere in the Midwest, a Chief Information Security Officer (CISO) can be critical in helping your financial institution develop an Information Security Program and maintain a strong security posture. Many companies have discovered a virtual CISO (vCISO) to an effective and cost-efficient way to achieve their goals. A vCISO will perform many of the same functions at a fraction of the cost.

vCISO Services should include:

• Security Plan and Risk Assessment Framework 
• Governance and Board Strategy Development
• Corrective Action Plan Development and Execution Strategies
• Compliance Audit Guidance and Assistance
• Policy Development
• Security Awareness Program Development
• Social Engineering
• Incident Response Plan Development
• Business Continuity Planning
• Vulnerability Assessment and Penetration Testing

A Chief Information Security Officer (CISO) earns an average estimated salary ranging from $120,000 – $250,000 annually. This investment may be too much for a small to medium-sized company to handle. Many Dayton-based companies have discovered a virtual CISO (vCISO) to be an effective and cost-efficient way to achieve their goals. A vCISO will perform many of the same functions at a fraction of the cost.

According to a 2018 Verizon Data Breach Investigations Report, 58% of cyber-attack victims were small businesses. While all companies are susceptible to a cyber-attack, small businesses often have a more difficult time recovering from such an attack. Therefore, it is increasingly important for small businesses to develop strong Information Security Programs to protect their data.

Email phishing attempts are the most common method of cyber-attacks. These attempts continue to grow in sophistication, making detection increasingly difficult for your employees.  While you cannot stop all phishing attempts, you can significantly reduce the risk of a data breach by following these guidelines:

• Email Filtering – Many of the top-recommended filtering software programs will block most spam emails. While this is necessary, it may also create a false sense of security since these phishing attempts are increasing in sophistication.  
• Website Filtering – Companies should have filters setup to prohibit their users from navigating to potentially malicious websites. These websites may contain malware that can be downloaded onto your employee’s devices.
• Phishing Simulation – Building a strong security awareness culture and is much like building a muscle. With routine simulation and training, your staff will build these security “muscles”, which helps detect any attempts not stopped by software filters. 
• Security Awareness Training – Security awareness training can improve your staff and make them your “eyes and ears” for cyber-defense. Strong security awareness programs help turn your staff into a human firewall. They should understand how to detect phishing attempts (whether from email, phone, or text), in-person masquerading by social engineers, USB drop attempts, etc.