You hold the keys to the kingdom if you have responsibility for IT security. So much rides on keeping your organization’s data safe – reputation, contract or compliance violations, sales, shareholder backlash, trust, financial impacts that could be disastrous … and your job.
Of course, if you have this responsibility you already know this, which is why it’s amazing that so many organizations overlook IT security foundational basics. Such weaknesses are what cyber-bad guys look for first and foremost. By not taking care of the easier 90 percent of threats to your network, you’ll have so many fires to put out that the really serious 10 percent of attacks will not receive the attention, resources and security integrity they so desperately deserve.
You’ll never be 100 percent secure from cybercrime, but that’s no reason to have an open-door policy either. Let’s take a look at actions that should be taken at every organization that relies on computer technology to function.
Who’s in Charge?
Hiring or appointing an IT security officer within your organization is a critical first step. A team approach is okay so long as ultimate responsibility rolls up to an individual with clearly defined responsibilities. In the event of a breach, you don’t want to be hunting around for someone to answer the many questions that will surely come up. The absence of a security officer conveys the perception/reality that security is not that important to you.
Write It Down
People come and go, but a written “living” security guide transcends organizational flux. If you do not document your security policies and practices, they will not last, or they will develop flaws in this fast- moving business landscape, or they will be continually reinvented without benefit of institutional knowledge of what went before. Among other important things, the absence of a security policy and procedures document will breed confusion about exactly who’s responsible for doing what in a breach incident; it also leaves the door open to ridicule and additional liability after a successful attack.
Spread the Word
Even though accountability for data accessibility and security policies and practices falls to an individual, successful program implementation and integrity require something more. The entire organization must not only understand risks, policies and procedures, but each person must assume personal responsibility for their behavior. Training – continual training with frequent message reinforcement – from the first day on the job through retirement must be institutionalized.
Zip Codes Make Bad Passwords
It was bad enough when we had only a few log-on passwords to remember. Today, people probably log on to more websites during a typical day than they perform any other non-bodily function. That’s a problem because people tend to use the same weak passwords for many sites. Phishing exploits that crack one sign-on credential consequently can crack many other sites, accounts, files or databases associated with that password. Furthermore, cracking one network may also provide access to multiple networks such as those belonging to business partners, company vendors, retailers, etc. Passwords must be strong, changed regularly and different from site to site.
Need to Know
Increasingly, organizations are practicing zero trust. It sounds harsh and unfriendly, but if you could tell a crook by looking at someone there would be a lot less crime in the world. Only those people who absolutely need access to particular data should have it. That approved access list should be reviewed and updated quarterly. These employees should be carefully vetted and, beyond organization-wide training, receive specialized training pertaining to safe data handling.
A follow-on to the previous point, get rid of data that you no longer need. Classify data types and retention requirements. You don’t want to pay for storing data that is no longer useful, and losing such data to a security breach only adds insult to injury.
Measure, Report and Refresh
We mentioned “living” document earlier. Information security documents are not tomes for the ages. They must be revisited regularly because risks and threats to your data change daily. As soon as you apply a defense measure, bad actors are working on ways to circumvent it. The program should be “living” as well as the document; be sure company leadership receives a comprehensive review and report of security activities throughout the year, what’s been accomplished, where new risks are coming from, and your state of defense preparedness.
Evaluate Third-party Security Assistance
Security breaches happen every day. Many more organizations have awakened to this unfortunate reality, either through first-hand experience or from news reports of brazen and highly sophisticated breaches that are now the rule rather than the exception. In response to this new reality, the scope, scale and innovation that third-party security vendors and managed service providers have produced are all growing constantly. You may find that third-party managed security resources can help you attack the 90 percent of threats more effectively and efficiently, leaving you more time and resources to avert the remaining 10 percent.