FOUR THINGS COMPANIES SHOULD DO RIGHT NOW TO IMPROVE THEIR CYBER SECURITY
Everyone has an opinion, particularly when it comes to keeping your company safe from cyber- attacks. We are all under constant bombardment by vendors pushing the next best solution that will solve all of your security problems. Well, the harsh reality is that there are no silver bullets when it comes to protecting your company from threats.
There actually are a few fundamental things that every business can (and should) do toward building a formidable defensive cyber security posture.
I’ve narrowed the cyber security must do’s down to four actions:
Number 1: Drive cultural change in your organization!
I’m realistic enough to know that the amount of change a person can drive is directly proportional to that person’s position in the company hierarchy. But none the less, we all have the ability to drive some level of change. So with that, if we truly want to improve the security posture of our organization, we have to drive the company to the point where every employee views themselves as a part of the Cyber Security Team. We do that by making cyber security best practices a priority from the highest levels of leadership, to the entry level employee. We also need to create a culture of accountability where employees who violate security policy are held to task. In reality, the human is still the weakest link in the cyber security change. So we need to spend our resources addressing the human factors related to security breaches.
Number 2: Assess your network security posture!
Before you can determine where your company needs to go with your cyber security efforts, you need to know where you are starting. So I suggest that you have a direct, but non accusatory, conversation with the person on your Team who is responsible for network security. Start the conversation by asking a simple question, “is our network secure?” The answer we hope for should be realistic, frank, and will probably be a bit sobering. The answer we are likely to get will be quick and positive. Hint: If the answer is “We are secure”, ask why.
Number 3: Assess your Team!
There are two types of people in the world; true cyber security experts, and everyone else. Okay, admittedly there are a lot more than two types of people in the world. But in cyber security, there are the real experts, and the IT professionals who practice cyber security part time.
Now before the IT professionals in the audience click away from the blog…hear me out. In fact, the primary role of IT folks is critical to keep the network operating. Network operations are the life blood of business operations. So IT professionals must direct their focus toward keeping the network architecture up and running efficiently thereby enabling business operations.
IT professionals and Cyber Security Operators complement each other and both groups are absolutely critical to efficient and secure network operations. But for most the distinction is cloudy at best. But for those of us who know a little bit about the experience, training and knowledge required of a cyber security professional, the distinction is crystal clear.
True cyber security experts are difficult to find and command extremely high salaries. Ironically, the fact that true cyber security experts are so hard to find actually drives the majority of companies to the undesirable practice of relying on IT professionals to carry out their security functions. So, companies are left with the challenge of finding ways to leverage their IT Staffs to act as cyber security experts. We know that this approach doesn’t work…and the data proves it, reference the constantly growing list of companies that have been hacked. Fortunately companies do have choices, particularly those companies with limited resources. In short, if you can’t hire a cyber security team…outsource one.
Number 4: Understand that it isn’t a question of if your company will be hacked, but when!
Accepting the fact that your company will eventually get hacked is not the same as announcing to the global community of hackers that your networks are fair game. Rather, accepting the fact that you will be hacked is a good first step toward understanding what it takes to defend your network. This is an extremely important point because most companies continue to believe that protection against cyber- attacks comes in the form of highly automated, and usually highly expensive technology (recall the silver bullet discussion). But as the cyber war continues businesses are beginning to realize that a different, more proactive approach is required. My formula is simple…prevention and detection. When I think about prevention, I envision the automated technology that I mentioned early e.g. next generation firewalls, secure eMail and Web gateways, and anti-virus solutions. These preventive technologies go a long way at stopping the most common threats as well as deterring less motivated hackers. When I think about detection, I envision sophisticated monitoring and detection technology operated by those genuine cyber security experts I mentioned earlier…and by the way, this is a 24/7/365 proposition.
So how does a small or mid-sized business get detection capability without having to hire an army of cyber security experts? The answer isn’t as daunting as one my think. There are an increasing number of cyber security companies that offer a range of managed security options. But the real challenge is to find those security companies that are staffed by true security experts.