It seems like every day there is a new report that highlights a new security issue, or it highlights that a previous security issue is in fact still a security issue. When does the data stop being informative? When do the annual data breach report or the annual cyber security incident database (both of which I made up based on the myriad of reports available to security professionals) become background noise, a coffee table book, or just bathroom reading? Sure it’s good to know information but if it doesn’t prompt you to act then what’s the point right? What will it take to make you act?
This is what we know and we don’t need reports or data to validate it:
- Security incidents are on the rise.
- Password management either does exist and poorly enforced, or doesn’t exist at all.
- We don’t back up our data enough or else ransomware wouldn’t be as newsworthy.
- We are prey to social engineering and phishing attacks.
- We don’t do enough security related training.
- Security is generally not a major element in planning new products or builds.
- We don’t assess ourselves and our security posture.
- We don’t have policies in place to prioritize security or enforce behaviors.
I think we can all agree on the above. And you may be doing those all or some of those things. But here is the thing. Security should be integrated into all elements of your business. We believe in full spectrum approach to security through our APP model – comprehensive Assessments, developing Policies, and enduring Programs. Security isn’t just a band aid so you can meet a new criteria or business requirement. Security needs to be woven into your day to day processes. And if you don’t include that one area, that might be the only window attackers need to exploit everything else – even those areas that do have security.
In order to be positioned for success, security needs to be how your business does work. We want to build an alert and aware workforce that critically evaluates their daily decisions with a security tint. This starts with a comprehensive security assessment. This assessment is not just your networks, but it’s integrating physical and personnel security into it. How are your physical security access controls? What type of crime is occurring in your area? What training do new employees receive before getting access to systems? What social networking or BYOD policies do you have in place? All of these need to be reviewed and assessed to understand what vulnerabilities exist. If you have an employee who was recently fired from the job but never contacted the previous employer, then that’s a security issue. How do you know they did not get fired because they stole proprietary information, or that they downloaded inappropriate materials from their work computer and brought in malware? Sure you could dismiss these possible outcomes, but that doesn’t mean they don’t exist.
Once we assess, we can then determine areas to focus on and develop policies. We will review and update policies. We can build new policies. Do you do an annual review? When was the last time each employee reviewed them? These are critical to building a security conscious work force.
Then we want to build enduring programs. How visible is your security program? Do people know who the security officer is? Do you have a security officer, even if only part time? Do they know what to do in the event of a security incident? What about your training and awareness program? What is it and how often is it? What is your back up plan? Or your incident response plan?
The APP model is designed to build a work force that is up to date on security incidents and knows how to respond.
The data is great and it does help us identify and reinforce our programs. However, it doesn’t take much to know security is an issue. The data can be used to help prioritize matters and address critical areas that should be integrated into policies and programs at a moments notice. However, it doesn’t take much to know that we have challenges right in front of us. We know they are there, but we don’t always act. When will you? Let’s hope before it’s too late.