Is Your Business (Cyber) Secure?
Prior to joining KS&R in 2011, Paul worked as a web developer, database administrator, and in IT management. Early days at the firm were focused on software development and building tools to manage data for its clients. Today, it’s much more focused on cloud computing and cybersecurity. Paul states, “I am fortunate to have such a strong team around me. Every day presents big changes and new challenges to tackle, which keeps it an interesting and exciting place to work.” In his free time, Paul enjoys skiing, camping, and spending time with his kids.
5 Strategies for a Complete Cybersecurity Program
October is Cybersecurity Awareness Month and the theme this year is “See Yourself in Cyber” which focuses on the people part of cybersecurity. Whether it’s your home desktop or your company laptop, threats including spyware, malware, hackers, and more, are increasingly on the rise and a risk to your data security. It only takes one person to click on a corrupt link to expose critical information.
Human error can be attributed to the majority of cybersecurity breaches. So how can you protect yourself and your business from online threats? Start with these 5 critical guideposts necessary for a complete security program, including defending against human error.
1. Technical Security
The first place to start any security program is with technical defenses and defense in depth. Securing your network means having the basics in place with next-generation firewalls monitoring every touchpoint between you and the internet. These include anti-virus, anti-malware, and endpoint monitoring.
2. Data Management
In many industries, your most valuable asset is data, therefore it is critical that your data is kept secure. Data management means knowing not just where your data is, but also who has access to it and what they are doing with it. Encryption is a vital first step, especially when moving data into or out of your network. When uploading your data to your cloud service, ensure that your connections are encrypted. When data is written out to portable devices (laptops, thumb drives, etc.) make sure you are using disk-level encryption to secure those devices.
It is equally important to know with certainty who is accessing your data. The Principle of Least Privilege means restricting access on your network and only allowing data access to those who need to use that data for business purposes. In the event of a breach caused by human error, you can greatly limit the damage by controlling and minimizing users’ access to data they don’t need.
3. The Human Element
Experts agree that the weakest link in any security program is the human element. Human error is a fact of life and malicious actors understand this. Just as technical defenses can be patched and updated, your users need to be kept “updated” as well. A good security awareness program is one that always keeps security top-of-mind for your users. Users should be familiar with the company’s security policies and their responsibilities and know what to do and whom to contact if they suspect something is amiss.
4. Testing, Testing, and More Testing!
Once all of these controls are in place, the next step is to verify that they work. Testing comes in many forms. Technical controls are validated using external and internal penetration tests, vulnerability scans, and continuous monitoring of computer logs and network activity. Data access is tested by regularly inspecting your access lists and removing people who no longer need access to particular clients or data sets. User awareness can be tested through online training and phishing tests (i.e., send a suspicious email to employees and if attachments are opened or links
are clicked, it would prompt a review of corporate security protocols). These types of tests are essential to ensure your security program is functioning as you expect.
5. Leadership Support
Let’s face it, a security program requires significant time and resources and none of this happens without support from leadership. Staff must be trained, services implemented, software licensed, and scans run. Without buy-in from the top, these programs will not be implemented effectively. Management must go beyond simply approving the required investments. They need to guide the security program by analyzing the risks that the company faces and keeping the security team informed as to the types of risks to guard against.
Lastly, walk the talk. It isn’t enough to say you have a complete security program. You need to act on it and prove it time and time again. KS&R has taken this to heart and is ISO 27001 certified. Our firm’s security program is a continuous effort and cooperation between our IT and security personnel, company leadership, and every employee at KS&R. We work hard to maintain the security program to keep our business and our client’s data safe and secure.
