There is no shortage of breaking news on data breaches and vulnerabilities that have very real financial and reputational consequences for enterprises. It seems impossible for business leaders and board members to escape the barrage of forewarning headlines and resulting bombardment of experts who line up to share cybersecurity advice on how to avoid such devastation.
Nonetheless, attacks and breaches keep occurring. What’s worse, cybercriminals often target the most obvious or basic vectors and vulnerabilities. Looking at July 2019 alone, there is no shortage of examples: millions of records left visible in exposed Amazon databases, user and staff records from a school district exposed by a software bug and football fans’ financial information stolen by criminal activity.
Establishing and managing a strong security posture is critical. Enterprises must know where risks are, address everything feasible and constantly monitor for changes.
The first stage in crafting a successful cybersecurity strategy is to ensure full buy-in across an organization, which is as much about awareness as it is agreement. There will be business and technical implications to establishing or updating security strategy. Cybersecurity needs to be understood across the business so that it is seen as a business enabler and competitive advantage for the company, as opposed to an inhibitor. Leaving key decision makers out risks slowing adoption.
• Top tip: Consider using outside resources to support designing a security strategy. It’s not necessary to outsource the complete project, as that could cause internal resentment. However, a security consultant’s skills and knowledge provide critical expertise and experience, as their familiarity with a range of organizational security needs and challenges can help speed up the project and ensure organization-specific considerations are not overlooked.
Once buy-in is achieved, it may seem like the right time to start the project – but do wait. The next step in defining an organization’s security strategy is actually to take a step back and sit down with area leaders to understand what they do on a daily basis, including which systems are used, where and what data is stored and which third parties and supply chains interact with the business.
Ideally, a full software audit needs to be completed. At minimum, enterprises need to gain a view of exactly what is in use, who uses it and how regularly it’s updated. This will take time and is no small undertaking. But remember that many breaches happen because of basic security missteps, so this stage is very much worth the investment to ensure the right security strategy is designed for an organization.
• Top tip: It is worth keeping in mind that although IT has a list of software in use, it will not be exhaustive. It is very common for departments to have software purchased and managed outside of the IT remit. These tools are known as shadow IT and run under the radar of normal business. To achieve a successful security strategy, these projects must be identified, audited and brought under the remit of the internal IT team.
At the point where everyone understands the project implications and it is clear what needs to be protected, updated or retired, the project can begin. There will be changes to how business and processes occur, which means that some employees may grumble and IT teams will likely experience an increase in calls to the support desk. Despite temporary inconveniences, the security strategy management should become a regular and ongoing process with regular audits of software, devices and risks, once complete. Without this ongoing component, all the hard work will lose value. Additionally, should there be a breach, the amount of work required to understand and remediate the incident will increase significantly.
• Top Tip: Consider ongoing user-education, as part of the security strategy. Much of a security strategy depends on employees, so it’s worth creating a security training program to educate users on strong passwords, how to identify fake websites and information on spotting phishing/spear-phishing emails early.
Creating and maintaining a successful security strategy is not a simple task, but with the right sponsorship and external resources, it does not have to be a negative experience. In fact, with safer access to data and better educated users, the end result should be a stronger business that is ready for success in today’s digital and cloud-based world.