The end of each year brings about a review of the past and then a look ahead to the future from just about every publication or blogger. Instead of looking at it like that, we want to continue to reinforce key security principles. Make no mistake, reflection is essential and of course those who ignore the past are doomed to repeat it. We should always look to evaluate these incidents, build case studies and use them for training; we should continuously seek to learn from the mistakes of the past. But for all intents and purposes this is implementing a reactionary policy. Making predictions only cause organizations to think that if they plan on a couple key events, they can make it through the year. This overlooks our basic premise – to have the most effective security postures, you must build a culture where security is an accepted part of day to day business and you must implement security policies and training across your organization no matter how big or small your business is.
It is our belief that understanding yourself and your critical information, implementing security policies, and training and awareness programs will help your organization – big or small – be better prepared for whatever comes your way.
- Identify your critical information – understand what separates your business from others. How are you protecting that data? Are you protecting everything the same way? Do you have different access controls?
- Develop or review security policies – if you don’t have them then resolve to develop them. If you do have them, dust them off, review them and make sure they are up to date.
- Identify your threats – we all have them; recognize who is interested in what you have and how might they go about getting it; work it into your training.
- Develop or review your training for the year – that’s right, build a year long training calendar. It doesn’t have to be written in pen, but establish training dates, assign a training coordinator, identify needed training, and start. It might be clumsy at first, but you have to start somewhere. Conduct reviews of your training and solicit input for future events.
- Build a contingency plan/incident response plan. What happens the moment you find out you have been breached or you have been the victim of a security incident? Do you have a plan? Now is the time to write one down. Rehearse it. And learn from it. And you can never be too prepared.
These are just a couple things to think about as we move into the next year. We should always strive to learn from the past. It helps shape the way we think about events into the future. Instead of planning for those specific incidents, resolve to build a better security posture. Integrate the lessons learned from security incidents and move forward.