Secure is relative. Different businesses have different obligations and levels of sophistication in their security programs based on several factors. Industry, size, the type of data housed, and more all determine how a business treats its information security program. But the goal is often the same: avoid as many security incidents as possible, protecting sensitive data along the way.
While levels of security and the initiatives taken to get there will vary from business to business, there are commonalities among those organizations who tend to avoid major compromises. It’s impossible to avoid all security incidents from occurring, but adopting a strong combination of these commonalities will improve your business’s chances of managing as much risk as possible—and mitigating it where necessary.
1. Executive Buy-In
The success and maturation of a security program ultimately boil down to buy-in from your board of directors and/or executive leadership team. Information security is not just a nuisance that we can push off to our IT department. There are important data across all departments of your organization, and there are employees accessing connected devices across all departments, too.
So, our risk doesn’t exist in an IT vacuum. There needs to be a common approach to security across all your business units, and each employee needs to be trained on proper security measures. This kind of secure culture can’t and won’t come from within. It needs to be a conscious effort and strategy applied from the top of your organization down.
So does the budget.
Ultimately, it’s the people at the top of an organization that give ‘the okay’ on major budget decisions. When doing so, these business leaders need to recognize what the risk of major security incidents are—financially, reputationally, effort-wise, and more. If they don’t, the risk of experiencing compromise increases, handling them properly decreases, and the potential of shutting doors entirely becomes a very real possibility.
If your executive and leadership teams are taking information security seriously and protecting client, employee, and vendor data, your program is going to be much stronger, and it’s less likely your business will face debilitating security incidents.
2. Employee Awareness
If you have leadership buy-in and they pass it along to leaders of other departments, eventually you start building a culture where security is ingrained in everyday tasks.
Depending on your organization’s attitude towards information security, your employees are either your biggest security strength or your biggest security weakness. It’s up to each business to decide which of those they’d prefer their employees be.
It’s typical for employees to take whatever security habits they have at home and bring them to the office. If their habits are bad in the first place, it can wreak havoc on your environment and increase your chances of experiencing major security incidents. Imagine your employees using the same password for every login they have, downloading applications from less-than-credible websites, and clicking links in emails before doing some quick analysis of their legitimacy. Chances are, they’d also do those things at work.
Training is critical.
It’s important to get a baseline understanding of where your employees are in terms of their security posture, tailor training to common weaknesses, and develop learning opportunities to help them see why this is so important to the business and to them personally.
Engagements like social engineering, where certified ethical hackers test employees’ reactions to things like bad emails and strangers trying to enter your office building, can give you an idea of where their training or your policies are lacking.
Policies are incredibly important as well. Requesting that your employees use a password manager to generate and store passwords securely, enabling multi-factor authentication where applicable, setting standards around application and software downloads, and much more are great ways to ensure that your employees are safeguarding data in ways that don’t majorly interfere with their everyday job function.
The last part of that is critical.
3. Formal Policies and Procedures That Involve All Departments
You need to have policies and procedures in place that make sense to your employees and that they are willing to commit do. If you don’t, you risk having them find ways to skirt around the rules. It doesn’t help your security or theirs.
Companies that experience very few security incidents are ones that have developed a company culture where security is entwined. You cannot have this if you’re creating policies that silo certain departments or make others’ jobs harder than their peers.
Policies can’t just be for show. If you’re making unilateral decisions without consulting the department they impact, you’re begging them to not follow through, and you risk an increase in the chances of security incidents happening.
Say your marketing team wants to set up an integration with your customer relationship management (CRM) software for automated email tracking purposes. The integration causes a vulnerability in your CRM, so you determine that marketing is no longer allowed to download CRM integration apps altogether. A couple of things may happen. You may end up inhibiting them from downloading tools that can make their jobs better, which is bad for your business. You might also entice them to download their software anyway with the thinking that your rules are too stringent and are causing unnecessary roadblocks. Either way, they’re much less likely to trust the processes and people behind your security practice.
If you work with all departments to agree on security standards that minimize your risk without drastically impacting their day-to-day functions, your business is much less likely to run into major security incidents, as it fosters a strong security culture company-wide.
4. Ongoing Checkpoints for Policies and Procedures
It’s not enough just to have policies and procedures in place. It’s also not enough to just have all your internal departments agreeing on your policies and procedures. Organizations must find a way to ensure that their policies and procedures work.
Checks and balances are an important part of every information security program. Businesses are fluid. Threat landscapes are fluid. Technology is fluid. Staff is fluid. All these factors and more determine how you should treat your security program and update it.
It starts with getting a baseline. You need to understand where your security program is before you can make improvements against it. Companies that tend to experience fewer incidents will typically get an information security risk assessment done by a third-party security expert on an annual basis. This provides a non-biased and objective look at how your security program is performing at that time (considering your administrative, physical, and technical controls). It also provides you with a starting block—a point you can measure and track your progress against so that you know exactly how quickly and in what areas you’re improving.
But again, security is fluid. It’s not helpful enough to simply have an expert see how you’re doing once a year. You must do internal checks and balances as well. Companies that protect data effectively will typically self-assess their policies, procedures, and programs at least quarterly. This allows them to see where they’re making strides and control the risk that still exists in problem areas.
If my business leaders know where we’re most vulnerable as a business, understand how our policies and procedures improve our security landscape, and use our strengths and weaknesses to constantly improve, my organization is going to be significantly less likely to experience a major security incident (and even if we do, we’ll at least know how to handle it).
5. Strategic with Spending
If you have an ongoing risk assessment in place, that should be the guide to help you make all your security decisions moving forward.
A good risk assessment will look at all four controls that make up a security program: administrative, physical, external technical, and internal technical. If you assess all four of those areas, you will have a full scope of what your security program looks like at present state and what it should look like moving forward.
Keeping this in mind, companies should only make decisions that specifically align with their security risk assessment. Especially if the decision incurs a cost, it’s important to be able to justify that cost by proving it made a dramatic impact on your overall risk profile and assessment score. If it doesn’t, you probably won’t get buy-in, and you’re likely not helping your company’s security anyway.
For this reason, companies mostly free of security incidents tend to make budget and spending decisions with their risk assessment and profile in mind.
6. Automated Vulnerability Management with Human Intervention
At the end of the day, the risk assessment practice is about finding where your vulnerabilities and weaknesses are, recommending ways to improve them, and mitigating the risk that comes with them.
There are many ways to do this. Commonly, companies utilize vulnerability scanners. These programs are designed to assess connected devices for known weaknesses. These programs are largely automated—running in the background, constantly scouring for gaps. The benefit is that you should be able to quickly detect when something is awry. Antivirus software is a well-known example of a vulnerability scanner.
What’s the catch?
They’re not perfect, and we can’t rely on automation alone.
We already discussed how fluid security landscapes are. For this reason, organizations must constantly scrutinize their vulnerability management. Not only is it important to vet any threats they come across, but the actual tools and procedures a company uses should fit with the changes and improvements of their program.
Companies that have an automated vulnerability management system and constantly vet and make improvements to it are less likely to experience major security incidents.
7. An Understanding of Security Incidents vs. Events
This might sound silly, but you’re going to have fewer major security incidents if you know what an incident is. That’s because a lot of what is considered an incident isn’t an incident at all.
It’s understandable to be confused. When something doesn’t look right in your environment, it can feel unnerving. It can feel like if immediate action is not taken, your whole business will be at the whim of an attacker.
But not everything is an incident. Events are commonplace in the security world. Every incident is an event, but not every event is an incident. So, what’s the difference?
Events:
An information security event is anything that could have security implications. Phishing emails get sent to companies by the dozens every day. While they contain malicious links that could compromise systems, they’re often filtered, logged, and ignored. Even though security events often come with ill-intent, they typically require no more than a flag or log.
Incidents:
An incident is an event that is a legitimate risk. Typically, incidents are damage-causing. They cause data loss, functional disruptions, and more.
Organizations that know the difference allocate energy, resources, and time effectively by not over-engineering solutions for problems that aren’t concerning. On the flip side, they understand what an incident is and can quickly remedy any damage before it escalates to a bigger compromise.
For these reasons, companies that know the differences between incidents and events tend to limit the number of major security incidents they experience.
8. An Understanding of Their Assets
You can’t secure what you don’t know you have, and your security measures should directly impact your most valuable assets (as well as the risk associated with them).
The practical application of this, called asset management, is not only an important part of a good information security program, but is also an important part of running your business.
Effectively, asset management is a way to track and categorize resources within the organization. A good asset management practice gives businesses an understanding of the existence, access, location, and function of its important technology.
Important assets extend far beyond the computers your employees are using, too.
Hardware:
This is what most people think of when they think of asset management. What devices exist within the business that has data associated with them? Think of the things you’d put a label on. This may include computers, printers, tablets, hard drives, servers, and more.
Software:
Software is an asset, and it’s important to manage the purchase, implementation, maintenance, and disposal of software applications.
Data:
A lot of organizations fail to realize that data is an important asset that needs the same (if not more) management as the more tangible ones. We’ve posed the question to numerous clients: “If all of your business’s data suddenly disappeared, what would you do?” Most often, the answer is that they’d have to close shop. Data is that important of a business asset.
Therefore, managing the creation, indexing, workflows, version storage, and access becomes a hyper-critical component of asset management for all organizations.
Companies who create, implement, and improve mature plans around asset management, know the difference between the types of assets that exist in their organization, and understand how they should be treated are more likely to avoid major compromise.
9. Proper Data Classification
Along the lines of managing data as an asset, organizations must understand the kinds of data they have and who should have access to it. This idea of data classification is a practice that, even at a very basic level, can make a strong impact on the overall security of your organization.
We typically see three types of data in an organization. Who should have access to the data is entirely dependent on where it fits in one of these three categories.
Public:
Don’t care who sees it? Do you want it to be seen? This kind of data is public data. Every business has public data, whether they’re conscious of it or not. Think of your marketing materials. Your website probably contains information about your company, services, pricing, customers, and more. But you want people to know these things. This kind of data is meant to be seen by the outside world and does not need access or management restrictions.
Internal:
Internal data is not meant to be seen by the outside world. If it were to be accessed by someone outside of your organization, it would likely strike issue with your business leaders. Internal data is typically owned by a department of the organization whose jobs require it. However, if that data was viewed by someone else inside the organization, it would not raise concern. A good example of this is internal process documents. If your project managers have a process they operate on and have that process documented, it wouldn’t be the end of the world if your sales team somehow got access to the process documentation, for example.
Private:
Private data is data that should only be given access with special permission outside of the person or department that owns it. Say you’re planning to sell your business six months down the road. You might have pulled very specific financial data to influence any possible sale. This is something a business would likely want to keep under lock and key until they make a formal announcement to their employees that they plan to sell, or it could cause a commotion. Therefore, you’d likely want to put strict access controls around data like this.
Simply, if your organization understands what kind of data exists in its ecosystem and can effectively control who can see it and when, it’s unlikely your data will end up being shared with a party that it shouldn’t. It’s up to each organization to define the categories and their criteria. This will limit the amount of potential compromise your organization faces, so companies with strong data classification procedures and understanding see fewer incidents.
10. A Vendor Risk Management Practice
With data classification, we talked about understanding what kinds of data exists, how private the data needs to be, and who should be given access to the data.
Many of your vendors get access to your data and systems through the relationship they have with your business, and it’s just as important to manage what they have access to and how they treat the data.
Vendor risk management is an increasing concern in the information security industry, particularly as we continue to see more and more vendor-caused breaches in the news.
A good vendor risk management program does four things.
Makes an Inventory:
Just like with our assets, if you don’t know who every vendor is, you can’t possibly know how much risk exists to your business among them.
Classifies Vendors:
What’s the impact? What kind of data do they have access to, and how detrimental would it be if their compromise impacted your business? If you know how much impact each vendor poses to your business, you can focus your attention on the most pertinent ones.
Assesses Vendor Security:
Hold your vendors accountable! Validate or quantify the risk that exists related to threats and vulnerabilities, especially for those that access critical data. We do this using our information security risk assessment.
Treats Vendor Risk:
Once you know how much risk a vendor poses to you and how well they treat their information security practice, are you happy with where your relationship stands? If not, you must work with them to create a plan that either gets them to a state of security you’re comfortable with, limits their access in a way that reduces risk, or to end the relationship altogether.
Organizations that do a good job of managing the relationships with all their vendors, know the risks associated with each, and constantly check against chosen acceptable criteria do a much better job limiting the amount of compromise they face at the hands of vendors.
Bonus: Take Technology with a Grain of Salt
You can’t fix everything with technology. Automated solutions have their benefits, but there needs to be human intervention with a lot of information security. Particularly with the policy and procedure work, the people employing and following them must have a strong understanding to create effective policies and procedures and to practice them well. Blinky lights and easy buttons are no more than show. It takes consistent work, re-work, buy-in, intervention, interpretation, and much more to truly create an effective security culture—one that remains mostly free of major security incidents.
Summary
While levels of security and the initiatives taken to get there will vary from business to business, there are commonalities among those organizations who tend to avoid major compromises. It’s impossible to avoid all security incidents from occurring, but adopting a strong combination of these commonalities will improve your business’s chances of managing as much risk as possible—and mitigating it where necessary.
