Vulnerabilities. Data Breaches. Ransomware. In a world where a hacking activity takes place every 39 seconds, it’s easy to get trapped in a cycle of chasing the latest cybersecurity threats. But rather than putting your organization in a frenzied panic, consider taking a practical approach to your security program to help ensure a solid foundation and mitigate risks.
No matter what industry you are in, strategic planning and a relentless adherence to a written standard of technology is paramount. Start building your cyber defense wall with these practical steps:
1. Create a Strong Team
It’s important to identify the personnel, whether an internal employee or a security partner, who will be responsible for pushing your program forward. Even with a partner driving your security program, a security champion should be identified internally who can be part of the crucial conversations that happen daily to ensure new initiatives are being communicated to your security partner.
2. Conduct an Internal Audit
What are the most valuable and critical assets to your company? This is the same question that malicious actors will ask themselves when they are casing your organization, whether it’s during reconnaissance or even if an endpoint or process has already been compromised. Yes, even processes are assets in your company, and they should be under the same scrutiny your security team uses for securing systems.
Identify the systems (servers, databases, file shares, cloud services, etc.) that hold the data that is most critical to your organization. In tandem, identify the processes that are around all financial transactions.
An internal audit, for example, can help you assess how you’ve been monitoring logs for malicious activity. You can’t detect anomalies in your environment if you aren’t collecting the logs.
3. Set Goals and Define Policies
The adage “walk before you run” still rings true, especially when managing vulnerabilities. Setting goals and defining policies will help you navigate through complex challenges as they arise. A good example of this is patch management. When was the last time each of your systems received an update? Patch management is a critical component for any organization’s security posture. Your policy should outline what systems are patched, how frequently they are patched, and how you audit that the patches were deployed successfully. Frequency should be set to an achievable goal at the offset of your security program and reduced as the patch management process is matured.
4. Educate Employees at All Levels
Phishing and social engineering attacks are increasing 16 percent each year – do your employees know how to spot clever hackers? Security awareness training does not have to be an expensive endeavor with painful, rushed rollouts to the entire organization. Start simple with a monthly newsletter that includes important security tips. If you have the luxury of a marketing department, partner with them to help communicate a memorable message to employees. For example, a personal favorite of mine is “Trust but Verify.” Remember that people are your weakest link, and when it comes to cybersecurity and dealing with important or sensitive information and financials, it is always a better idea to over-communicate.
5. Evaluate and Adjust
The foundation of cybersecurity is built upon repeatable tasks that when done consistently, reduces your overall risk footprint. It’s important to ensure that as your journey continues you are auditing yourself along the way. Are all the new assets being classified? Are you analyzing new processes as they are implemented to ensure security risks are being addressed?
Although an internal mechanism should be in place to verify that processes are being followed, a third-party audit from a trusted partner will help mature your practice and ensure nothing is slipping through the cracks.
Once you’re proficient at the practical steps in security, the next iteration should be selecting a framework and closing additional gaps in your security practice. Some of my peers may argue that this should be done first, but I believe the superior security frameworks that are available, such as offerings from NIST, ISO or CIS, should be brought into play once you’ve established the basics.
The rollout of a successful security program is no different than the rollout of any other large project in your organization. It requires executive buy-in, dedicated personnel, a structured plan, and accountability. Your early wins should be celebrated, and a positive mentality kept during the execution of the project. When failures occur, embrace them, and push your team forward documenting these items along the way. Revisit them during your progress meetings and turn them into wins where opportunities for improvement were identified and successfully implemented. Keeping a positive mindset throughout your organization towards your security program will ensure the long-term viability of your practical approach to security.