The growing frequency and sophistication of security threats makes protecting an organisation more important than ever before. In 2014 alone, cybercriminals stole over 500 million individual identities from organisations worldwide, and attacks and malware infections continue on an industrial scale. For many businesses, defending their networks and data is fast becoming a task that appears insurmountable.
However, when stripped right down to its most basic elements, information security risk can be assessed against a combination of three factors: assets, vulnerabilities and threats. Assets are exposed by vulnerabilities that may be exploited by threats, with one breach becoming the seed for subsequent attacks.
In an attempt to tackle these issues head on, the EU is introducing news laws governing information security and data protection that will soon be implemented, requiring businesses to protect customer information with the same responsibilities as public-sector and government bodies – or face strong penalties for failure to comply. Whether a company’s business is technology, banking, healthcare, fitness, or fast food, if they sell something, the chances are they will have personal data stored on their network.
While Governments and law enforcement agencies are now working to counteract the threat, it will have only a limited immediate impact on the risks companies face, requiring organisations to take security matters into their own hands.
But how should they approach this? While most executives now rank cyber security as a priority, they have been slow to raise it at board level – until a breach happens. This reactive approach needs to change, and thinking about security proactively needs to become the new status quo. To help with devising a proactive security strategy, here’s a 10 step guide to a new, more robust, approach to protecting your business’ critical network and data assets.
Use security to unlock innovation
A robust security strategy can do more than just protect a company from attack; it can also accelerate adoption of new technologies, enabling businesses to operate more efficiently. When adopting new solutions and devices, a security risk assessment should be part of the process to ensure protection against threats is built into the deployment from the start. Embedding security gives a deeper level of protection, enabling organisations to unlock further innovation.
Test the limits
One mistake businesses make is to assume that once they implement security measures, the job is done. But threats are morphing and cyber-criminals learn as they go, increasing their level of sophistication. To mitigate this organisations need to view IT security as an ongoing process whereby infrastructure is regularly tested with intrusion detection and on-the-spot audits to identify vulnerabilities, rather than a one off box ticking exercise.
Stay focused
Companies should concentrate on where they would be most vulnerable in the event of a security breach and make that their top priority. Issues like loss of confidential information, corporate reputation, or non-compliance with regulations should be considered, before focusing on what can be done to minimise the risk.
Be prepared
No matter how careful a business is, security incidents will happen. How organisations handle that incident can be make-or-break in terms of its impact on their operations. If they have a contingency plan, they can recover faster, with less impact on business operations. Identifying threats in advance will significantly reduce response times and costs in the case of an actual breach.
See the big picture – it’s a whole business issue
When reviewing business security, it’s important to see the threats and vulnerabilities, as well as the big picture of what an organisation is trying to achieve. The most prepared businesses know that security policy needs to stem from strategic goals, business objectives, and corporate policy, tying it to procedures and requirements, performance measurements, and of course, people at all levels of the organisation.
Go beyond regulations
Many organisations believe that if they comply with the laws and regulations that govern privacy, finance, and consumer protection in their sector, they’re protected against cyber-attacks. But this kind of thinking limits the scope and effectiveness of a good security policy, as compliance typically focuses on specific threats. Since compliance does not ensure a secure network, it shouldn’t be the basis of a security policy. With that in mind, businesses need to push beyond compliance and create a robust security policy that safeguards information and supports threat mitigation.
Make it official
Making corporate information security policies official and sharing them company-wide can be very effective. When employees are engaged to help implement policies, enforcement becomes more efficient. As a result the best information security policies are those that are well publicised, are simple to understand and that employees can help enforce.
Get buy-in
Protecting an organisation’s sensitive information must be a global objective. Securing adequate resources — in terms of both financial budgets and people — is important for the protection of the company. Consequently, executive level buy-in for the company security policy is essential as it demonstrates active support and fosters greater awareness. The key to obtaining this is often identifying key security indicators and measurements that demonstrate the return on investment that robust IT security delivers. This also provides valuable insight for ongoing optimisation of security policies.
Create accountability
Organisations should take the time to identify specific individuals who will be responsible for their information security policy. Distinct responsibilities should be mapped out, along with a clear understanding of how they intersect. This should be documented and shared across the business so that everyone involved is informed. It should also include staff training about how they’re accountable and what their roles are in protecting against threats.
Never ease up
For some businesses, security management is outsourced due to lack of resources or expertise. However, external companies that do not adequately protect assets pose a serious liability to an organisation’s business operations, reputation and brand value. Companies should demand that service providers and suppliers to follow their information security policies, and also ensure that they in turn understand the policies and safeguards their partners enforce.
Good security is business-critical
Given that data is the cornerstone of businesses, today’s leaders cannot afford to ignore security. Without proper policy, both customers and the company, itself, are put at risk. By understanding potential threats and vulnerabilities; creating a solid plan that aligns with your business; and ensuring protections are integrated into IT infrastructure, businesses can turn security into an enabler, rather than an inhibitor, for their business.
Image: Cyber security via Shutterstock
