assurance that you recognize those differences. Make sure the risk assessments and control lists reflect that distinction. • Verify that detective controls are in place. Because we cannot prevent every threat, the ability to recognize and stop them immediately is key. Document which tests and exercises have been done to determine the detective controls are functioning. Detective controls are only as good as what they can detect. If your controls have never been tested or found any threat, there is no proof that your systems work. • Run an incident response team test/tabletop or live exercise to ensure that everyone knows their duties, that appropriate backups are available, and have the appropriate authority. Sometimes exercises can be as simple as taking a random sampling of your organization and asking, “What do you do if you think ransomware has been installed on your workstation?” Ensuring that all employees know what to do is as important as a well-prepared incident response team. • Run a recovery test on all backups. • Ensure social engineering testing is performed in your organization regularly. • Execute vulnerability scans on a regular basis and perform focused penetration tests as needed. • If you have internal development or utilize contracts, audit the development process and ensure that the code has current security tests and that any frontfacing applications have been tested using OWASP Top 10 found here owasp.org/www-project-top-ten/. These proactive steps will help senior management and the board understand the cybersecurity landscape of your business. Carrying out these actions reflects a level of maturity, especially during this time of tension as our regulators and the world at large are watching to see if we are taking the necessary steps to protect the people and businesses we serve — and our country itself. WE MAKE IT EASY LET OUR TEAM HELP YOU SECURE THE DEAL AND LOWER YOUR RISK • UP TO 90% OVERALL FINANCING • UP TO 25 YEAR TERM • FIXED-RATE PREFERREDLENDINGPARTNERS.COM | 303.861.4100 Leveraged financing and refinancing of owner occupied real estate and long-term equipment. Most for-profit small businesses eligible. SBA defines businesses with net profit after tax <$5.0 Million and tangible net worth <$15.0 Million as small. SBA 504 March • April 2022 5
RkJQdWJsaXNoZXIy MTIyNDg2OA==