The 3 Areas You Should be Investing in for Cyber Security
Sep 12, 2019
Information is the oxygen of the business world today. People are more connected than ever before and instant communication is an expectation.
Because of the connection and flow of information, cybersecurity is becoming increasingly critical for businesses. However, as much as you may prioritize security, people also want the information to flow freely without restriction in time or effort.
Today, companies must have networks that are simultaneously secure and porous to engage business partners and embed services in client organizations.
In this article, you’ll find a roadmap to set your company up for success in cybersecurity. The subject is so broad, it can be easy to drown in details. Truly, the process can be simplified, by focusing in on three key pillars for success.
Step 1: Have a Plan for Cybersecurity
The most important step in cybersecurity is making it a priority. Too often security can be a defensive move, reacting to a threat, rather than a proactive decision.
If you are storing data, you need to have a plan in the beginning to create safeguards and best practices for the flow of information.
Your plan needs to start by understanding where the true threats are. A survey by ALM determined the top three threats for cybersecurity are:
- Employee mistake
- Third party mistake
These top three threats accounted for about 80% of the total threats, meaning as you start to plan your cybersecurity process, you need to look at people. People are the weakness in security systems, so any successful plan is going to start with controls on who has access to information and the ability to manage behavior.
Step 2: Put Proactive Controls in Place
With people as the biggest threat, the next step in implementing cybersecurity is to put controls in place. Having security and annual audits is not enough to ensure you are staying ahead of potential breaches. As an example, Home Depot, Equifax, and Target all passed their annual audits, but still had major breaches.
The key point: take a proactive approach to your security, making a distinct effort to avoid a ‘checkbox mentality’ — which can lead to missed threats.
Have a full view of your network: Knowing the layout of where information is flowing is the first step. You have routers, switches, firewalls, and mobile devices like smart TVs and phones. Protecting your network starts by understanding your network and where the information is flowing.
Assess and patch vulnerabilities: About 80% of hacking is because something wasn’t patched. You may have legacy systems that are difficult to patch. In that case a good idea is to implement a vulnerability scan. These will give a high level view of some of the potential areas are you need to address.
Build a user awareness program: A 2017 Verizon report found that 81% of hacking-related breaches were from stolen, and reused passwords. A good practice is to use a password vault to create better passwords, without forgetting them.
Your people are your biggest risk, so it’s important to educate them and create buy-in for best practices.
Multi-level encryption: Encryption is essential for securing and controlling access to data. Additionally, your controls need to add layers to the encryption. The more keys you have, the more secure your information would be. Make sure there is never a single access point for data you want to be secured. Along those lines, you should have multiple levels of authentication to make sure your keys aren’t accessed by the wrong individuals.
Step 3: Define Standards for Partners
To fully minimize threats, you’ll need to have standards in place for any third party who also has access to your information. This means providing an assessment for any outside person or application.
The best way to do this is through standardized controls. This is helpful not only for keeping the flow of information in check, but it keeps your own systems under proper scrutiny.
There are broadly applicable industry standards, provided by ISO that can be used to evaluate partners. These standards give a general level of confidence, knowing a company has been certified through a standard.
Other examples of certifications are provided by the US government, like the FedRamp audit. The reality of data security is that putting best internal practices in place is not good enough. If you have a partner company who now has some of your customer data, it’s your responsibility to make sure the partner has proper protections in place.
Cybersecurity is a broad issue that is not solved overnight. Your goal should be first of all to assess your network. Where is the information flowing and where are the access points? Knowing the network should give you a view of the flow of information and an idea where the vulnerabilities may be.
Once you have that view, you can start putting the controls and best practices in place to keep data flowing without compromising security.
To dive deeper, check out this full webinar on security in our connected world here.