Today more than ever, organizations are examining existing security programs. Those that don’t have a formal security plan in place are thinking about, if not scrambling, to make one. Great security means first identifying your needs and then making a resolution to revamp or create your company’s plan for the New Year. Here are some tips to help lay the groundwork.
Assess your Technology
While technology should be a major (but not the only) focus of your security program, chances are your software might not be totally up to date, or in some cases even relevant to your company anymore depending on how the business has grown. Revamping or creating a security program is a great time to look at all of the technology you have in place, from servers to software, and see what needs an upgrade, a patch, or a replacement. A small patch missed, can mean a large breach. And a solution you passed on a year ago may have a better feature set and fit better with your organization now than what you currently have in place. If you’re working with regulatory compliance mandates, there are likely new protocols that you need to follow and become current on. This is because compliance standards and regulations change quite frequently, sometimes too quickly for us to keep up with. Remember though that compliance follows security and not the other way around. Don’t mistake following a compliance mandate as sufficient security.
Define Your Company’s Security DNA
There is no one-size-fits-all approach to security. Every organization has different structures, both physically and logically. This translates to unique risks and vulnerabilities.
Don’t overlook the physical facilities such as the office building and back up facilities. No matter what size of business you have, if you’re dealing with sensitive and critical customer data, then the easiest way for a thief to access that data is to walk into your building and take it. Do you have a security system? Do you need security cameras or new lighting around the building? Is your business big enough where it makes sense to move into a building with a security guard, or hire a few of your own?
Next is your hardware.
Few employees sit at their office desk 9-5, Monday through Friday. How is information protected on laptops that go to work in coffee shops, home offices, airports, and trade shows? This measure mostly involves training for the people who carry the devices. There are policies you should develop and enforce on those devices and with your personnel as an added layer of protection. You can also invest in specific software (back to my earlier point) that will lock up mobile devices and programs automatically on a scheduled basis when they’re not in use.
Also, be logical about who in the organization has access to certain physical areas and information. Not everyone should be allowed in the server room. Not everyone, even certain management, should have access to back end systems, financial software, and any other data where a leak would be devastating. Make sure you have checks and balances in place so the risk of fraud is minimized and the possibility of any kind of internal threat possibility is reduced. Be sure to establish a policy for when employees quit or are let go that their administrative rights are revoked immediately – before they can take data with them.
Make Security Part of The Culture
Just like anything else in leadership, it has to come from the top down to work. Start by getting the whole c-suite engaged with the program. Impress upon them that wide spread adoption throughout the company is critical to keeping the company safe from both internal and external threats. If you sense that the leadership is just nodding their heads but doesn’t understand the level of importance, share with them use cases of other companies that have experienced attacks in the last year and the consequences that were suffered because of these actions. Without management and executive approval, you are essentially dead in the water.
Share the plan with the entire company. Add into your plan a budget to do company-wide training, that’s the best-case scenario. Corporate training and engagement can greatly boost the likelihood that employees will learn and retain what they need to know to do their part. It also sends a message of the importance of the security plan.
If formal training isn’t an option, then create content that will explain the program in a simple way, using relatable scenarios that make sense to everyone from IT to marketing. Training doesn’t have to happen in a formal settings, sometimes training is even more effective in informal avenues. Think of a company screensaver that is constantly cycling through updates, announcements, and security news. Intranet landing pages and Yammer posts (if you use a social system like this internally) are also a good place to disseminate information.
Finally, don’t make security education a one-time thing. Your organization’s employees can either be the biggest vulnerability or the biggest security asset. They won’t know what a suspicious email that contains a virus looks like unless you teach them. Continual participation and education on how to create a safe, secure business is ultimately what will make it a success. Send out quarterly reminders, put posters up in the break room, whatever you have to do to make it visible. Above all else, make sure the IT team and entire leadership of the company lead by example.
