When it comes to protecting your business’s data, it’s easy to get caught up looking at the latest tool or talking about fancy new techniques for confounding criminals. The problem with taking such an approach is that you run the risk of neglecting what’s most important – a firm foundation.
It’s something human civilization has known for centuries – you can’t build anything stable without a strong foundation. I find it more than a little curious that people so often seem to forget about that truth when it comes to security. In the same way that you can’t build a house on sand, you cannot execute a proper cybersecurity strategy if you don’t start with the basics.
It’s something human civilization has known for centuries – you can’t build anything stable without a strong foundation. I find it more than a little curious that people so often seem to forget about that truth when it comes to security. In the same way that you can’t build a house on sand, you cannot execute a proper cybersecurity strategy if you don’t start with the basics. Our core foundation is to ensure the team has a solid knowledge base, which starts with cyber security leadership training.
Certainly, there’s a place for advanced techniques, tactics, and technology. There’s a place for hardened infrastructure, penetration testing, and cyber-incident simulations. I won’t deny that those are all important, too.
But they simply aren’t as vital as forming an understanding of the core concepts behind data protection.
Table of Contents
Keep Everything Up To Date
It should really go without saying, but the most important piece of advice I’ll give you is to always keep your systems up to date, no exceptions. I’ve lost count of the number of times I’ve seen a data breach occur solely because a business ran outdated software or firmware and didn’t bother to patch it.
Consider, for example, that in Fortinet’s Q2 2017 Global Threat Landscape Report, it was revealed that 90% of businesses working with the company experienced attacks exploiting vulnerabilities that were three or more years old.
60% of those organizations were targeted with decade-old exploits.
You cannot afford to make excuses here. Hackers are always going to seek the path of least resistance. Sophisticated criminal enterprises capable of cracking even the most ironclad security measures are actually quite rare – most of the time, you’re going to be victimized by someone who’s just trying to make a quick buck.
Ensuring your software isn’t outdated makes you a much less attractive target to those kinds of people, and makes them far likelier to go after someone else.
Know Your Business’s Risk Profile
Information security truly shines when it’s integrated with risk management. Your first task should thus be to formulate a risk profile for your organization and involve the whole business in that process. Cybersecurity is no longer the sole domain of your IT department, after all – but we’ll discuss that more in just a moment.
This risk profile should answer the following questions:
- What are my most valuable assets? These might include intellectual property, customer data, financial records, communication-related to an upcoming acquisition, legal documents, etc.
- Of those assets, which are likely to be most valuable to a bad actor?
- Where do those assets reside?
- Who has access to those assets, and do they need that access to do their job?
- What are some potential weaknesses that a criminal might exploit to compromise those assets? This might include unpatched systems, poorly-trained employees, unsecured WiFi, misplaced devices, etc.
- What can I do to reduce the risk that those assets might be compromised?
- What measures do I have in place to enable secure remote access to those assets?
- In the event that those assets are compromised, what is my plan for mitigating the harm caused and ensuring business continuity?
Monitor Your Data
As part of your risk profile and security plan, you should chart out where your data resides, and how it flows through your network. But that’s only the first step. See, remote work is more prevalent than ever in enterprise.
Unless yours is one of the rare few organizations where employees don’t work remotely (it isn’t), sensitive data will pass outside your security perimeter. You need to have measures in place to ensure you don’t lose control of it. A monitoring and management system that allows you to rescind access to critical files so they don’t fall into the wrong hands.
Promote a Cybersecurity Culture
As I’ve already mentioned, cybersecurity is no longer the sole domain of your IT department. Every single line of business in your organization uses technology to some extent – which means that every single line of business has some skin in the game when it comes to protecting corporate data. That’s only further compounded by the fact that the end user is more empowered than they’ve ever been.
IT can no longer be the sole gatekeeper of corporate apps and technical resources – it’s an impossible job. Instead, you need to shift your business’s culture and implant the idea that cybersecurity is now everyone’s responsibility. You need the people at the top of your organization to lead by example, to drive home the fact that even the lowest-level employee has an important role to fulfill.
Part of that shift needs to involve education. Teaching your employees to recognize social engineering attacks like phishing emails. Motivating your employees to be serious about not cutting corners or doing things that might put your business at risk.
Authenticate Everything (And Everyone)
Trust no one. Trust nothing. Validate everything.
This mantra should be in the back of your mind whenever you’re discussing cybersecurity. No matter who is trying to access corporate resources, and no matter what device they’re using, they need to go through an authentication process. There can be no exceptions to this rule.
And certainly, you can take measures to make things more convenient. Single sign on. Biometric and behavioral authentication. Device-based tokens.
But at the same time, you need to take the perspective that everyone could be a potential security risk. You need to limit access to only the people who absolutely require it. You need to assume that even a device that looks like it’s being operated by an employee might be spoofed, and monitor your systems and networks for suspicious activity.
Strong Policies Are A Must
Last but certainly not least, cybersecurity is about more than systems, culture, and software. It’s about the business processes that support all those things. The frameworks and policies by which you want your end users to operate.
These include….
- Acceptable Use. Where mobile devices are concerned, what can employees use them for in the workplace? What applications are they allowed to download? What counts as ‘business use’ vs ‘personal use?’
- A strong password policy is a must, lest you wind up trying to protect a critical system with the word ‘guest.’
- Incident Response. You need formal plans for how you will react to a range of incidents, including data breaches, system failure, ransomware infection, and so on. These plans should include responsibilities, communication, and post-incident assessment.
Start Strong – Be Stronger
Establishing your organization’s cybersecurity posture is a lot like building a house. You need to start with a strong foundation – a concrete set of processes, policies, and security measures upon which your more advanced techniques can reside. Otherwise, it doesn’t matter how much you spend on fancy security tools.
Because your security will be little more than a house of cards.
About the Author:
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.