We have been struggling with this question – when does all the news and alerts about breaches and security vulnerabilities become too much? At what point do you become numb to the news that another company has compromised your information or that another company lost sensitive information about a new product? Does that change the way you look at things? Does that make it feel like it’s inevitable that you will be affected by a breach of some sort? It can be overwhelming.
Just as overwhelming is the security options available to you. How do you know what you need? The news will make you feel that no matter what solution you employ it won’t matter because the people who want your information will keep trying until they succeed.
There is good reason to feel overwhelmed at the task at hand. There is a lot of information out there and a lot to process, but that can’t be a reason why you don’t go through the process. You cannot let all the news and data lead you to inaction. Security is a process and it starts with a couple of simple steps.
- Initiate the dialogue. No matter what position you hold within your company, if you don’t notice security measures or security reminders, it is your inherent responsibility to bring it up. You could be told that it’s being taken care of or that it’s not your business, but if you don’t see it then perhaps the argument should be made that it’s not being done to the appropriate level. There might be the chance that your company says, “You know, we haven’t thought about that. Let’s discuss it further.” And this is the beginning. You are now off and running. NOTE: If you are told to mind your business or it’s being taken care of, that is by no means a reason to stop. Ask follow-up questions like, do we do training? What do we do when someone asks us for information about our new product research? What is our policy on phishing? What is our incident response process?
- Start listing out what you have in place. What are your policies? Where do you see issues? This can be very similar to a brain storming session – throw things up on the wall and write them down. It doesn’t have to be complete but you can start identifying some vulnerabilities.
- Identify your critical information. What is the thing or things that your competitors or hackers would target? If you lost this “thing”, what impact would it have on your business? How are you protecting that right now? Is it sufficient? What additional layers can you add for cost, low-cost or no cost?
- Prioritize. Sometimes it feels like picking between the rock and the hard place, but you have to start somewhere.
- If money is a constraint then go for ones that don’t cost – review your policies, develop policies, start enforcement. Look at training – these are low-cost solutions that can be delegated out. Consider security awareness notices and label restricted areas.
- If you do have money available, start researching network solutions? Consider physical security upgrades – badging, access controls.
- Ultimately you are going to have to spend some money so begin to make a plan for that. And a great place to start is a security vulnerability assessment of your network(s) and physical security posture. This will then help you prioritize.
Finally, look to improve. You don’t have to do it all at once. A lasting security program is one that continuously assesses themselves and seeks to get better. Being a security-healthy organization is one that makes improvements and has layers of security. It is not reliant on one simple fix. It’s a choice and takes work. But it doesn’t have to be overwhelming.