Security breach news is not slowing down as we see governments, zoos, wineries, and healthcare organizations all with announcements over the past few weeks. Security should be given some priority in all organizations regardless of size and complexity. The word value can bring the once technical and mystical world of security into view for a business leader.
Here are a 10 steps to bring value to your organization through improved security:
Treat security as a business risk: All risks that businesses face, including IT and security risks, are business risks. Security of data, systems, and trade secrets are all in place because they are important to the business. Business value: Treating security as a business risk will allow the business to determine what is important to keep operating. The business should be knowledgeable in all areas of risk including security. Risk that is not managed can impact business operations and potentially close the doors.
Train your employees: This one is key and will lay the foundation for an effective strategy to protect your business and data. A good security awareness program needs to be supported by the board, owners, and key business leaders in your organization. The program needs to include everyone in your organization. Business value: Business will be less likely to experience accidental loss of data, employees will better understand their responsibility to protect the business that employs them, and business will avoid the accidental introduction of business disruptive software aimed at stealing or altering critical data.
Implement good password policies: Passwords are keys to accessing critical systems and important business data. Passwords should be robust and complex based on the value of the business function, data, or system we are protecting. Business value: Good password policies will help protect your business from potential fines for lost or stolen data, keep your business out of the news telling the world your operation was breached, and keep customer data safe as expected by your loyal customers.
Backup your data regularly: Data and systems should be backed up regularly. The loss of data or systems can be devastating to business operations. Backups and system recoveries should also be tested regularly. Business value: Backups are important to keeping your business functioning. Lost data and systems will cripple your business and the ability to maintain profitability.
Keep your systems up to date: IT systems that are up to data are more secure and generally more reliable. Old systems and software are prone to failure, security bugs, and can be unsupported by your IT vendors. Business value: Up to date systems are generally more available and secure than old systems. Systems that are available are keeping your employees working, selling, and communicating with your customers.
Patch your systems: Patches should be applied on a regular schedule. Critical patches including those with security fixes should be reviewed and scheduled for implementation quickly. System vulnerabilities left unpatched leave the path open to people that would like to harm your business or steal your data. Business value: Patches fix issues that can leave your websites and systems unavailable to your customers and employees. Patches also plug holes in software that leave your data and corporate trade secrets available to those who wish to do your business harm.
Use anti-malware/antivirus software: System viruses and malware are very common. Computer viruses have been common for years. Malicious software is being developed and spread all over the world. Business value: Systems free of viruses keep your employees serving customers, protect your data from the wrong eyes, and keep you investing in your business.
Develop a mobile security program: Mobile phones and laptops may carry very sensitive customer data or trade secrets which are very important to your business. Encryption should be seriously considered for any mobile device. If your business develops mobile applications, they should tested for security flaws before they are released to your customers. Business value: Secure mobile devices provide protection against confidential data being viewed by unauthorized eyes after a unintended loss. The odds of lawsuits, fines, and the loss of trade secrets are reduced with a good encryption program.
Develop an incident response plan: Every business should have a plan in the event of a security breach, loss of data, etc. There are many laws and regulations requiring the timely notification to customers, state attorney generals, and regulatory bodies. A business will need a well thought out plan including who to contact including police, FBI, forensics experts, and security professionals to fix the vulnerability and investigate a cybersecurity breach. Business value: An incident response plan will bring the business back online much quicker than those without a plan. A plan will also avoid missing timely communication to your customers in the event they are affected. Time is not on your side after an incident so even a little preparation before an incident can mean all the difference to a business.
Track your assets: All of your business assets should be closely tracked and documented. IT assets include PCs, laptops, databases, servers, cell phones and just about anything that can store data. It is nearly impossible to manage and secure what you are not tracking and monitoring. More complex organizations should invest in monitoring to alert them to devices in their environment which are unauthorized. Business value: A missing or lost asset can bring about fines, bad press, and lost customer confidence.
I know I said 10 but there are many more: Other security steps include perimeter security including firewalls, physical security, include adding security within the SDLC, monitor logs for abnormal behavior, and many more than my list of ten can hold. A good security program will help to identify opportunities to better protect your business. Business value: A good security program will help ensure your business stays in business.
What value have you seen brought to an organization through security?
ABOUT THE AUTHOR:
Ken Boie is the Founder of Aperture IT Services. Aperture IT has extensive experience custom designing security solutions to capture your business needs. Our solutions include , CISO as a Service, disaster recovery planning, technical team building, Audit Liaison, and Cybersecurity planning. We implement solutions that are a fit for your organization and provide the level of confidence you seek. It's time to make your organization's security a priority;contact us today to get started.