All successful organizations know one thing - direction is important. In most organizations, that direction starts with the executive leadership team, working together, to ensure a common path forward for the company. When the senior leaders in an organization do not show interest in, or even lambast the need for a project or direction, then that initiative tends to “die on the vine” from lack of support. Security is no different.
This article is less for the practitioner of security and more for the leadership of the organization. I’d encourage you to share this article with your leaders to help stress the importance of taking security serious within your organization.
The Importance Of Security To A Business
If you are an organization with a presence on the Internet, if you have customers, a bank account, a website, or any revenue, then you are likely a target for a malicious 3rd party. It’s not a matter of if, but when, you will be faced with an attack against your organization. So why is it that most senior leaders in organizations do not view the threat of a cyber attack seriously? Well, likely because they believe that they are not a target.
I’ve written about this topic in the past, so I encourage you to read that article as well. Acknowledging the need to improve your organizations security posture is not enough unfortunately. Let’s face it, if you do not take a topic seriously, how can you expect your employees to do the same? There may be others who are more passionate, dedicated, and well versed in the topic, but if you do not view this as an important part of your business, then nobody else will.
There is no silver bullet solution, which means that you cannot buy a single product or even a set of products and assume that you will be safe from cyber attack. You need to ensure your employees and staff are vigilant in their day-to-day activities as well. From phishing emails to suspicious visitors, there are plenty of ways attackers can try to take advantage of your employees and get into your business.
According to the Verizon Data Breach Investigations Report (DBIR), 22% of attacks involved phishing, and just over 20% involved stolen credentials. Likewise, according to CSO Online, “Phishing attacks account for more than 80% of reported security incidents”. Your employees are often your last line of defense, so it’s best that they understand and respect that role.
If you hold customer data, be it mailing addresses, billing information, usernames and passwords, or other sensitive details, your customers put their faith in your company’s ability to keep that information safe and secure. The last thing anyone wants is to have that data be taken by some malicious party. Not only will you lose customers, but with regulations like GDPR, CCPA, and Brazil’s new LGPD legislation, your company may be facing fines as well.
What Can I Do
A great way for an executive team to show leadership when it comes to an organization is by making it a priority. Have it as a key factor in strategic planning, by asking for reviews of new technologies, getting reviews on existing deployments, and potentially investing in security staff to help monitor your environment. If you don’t have the budget for full time staff, consider looking for an MSSP that can supplement your IT staff.
If your company is of a smaller size, a consultant that can come in and perform a vulnerability assessment may be another budget-friendly solution. By reviewing your current infrastructure and scanning for potential weaknesses, a well trained consultant can focus on exactly what you need for your particular organization and how to best address these needs both in the long and short terms.
Speak with your peers and see what challenges they face within their own organizations. This is hardly an isolated concern, and you may find some useful tips from your peers on what they have done that has helped their companies. Or perhaps you’ll hear about a threat that they faced that you may not have realized existed. Sometimes these off-the-record conversations can be far more enlightening than anything you read on a blog. Don’t worry, I take no offense to that.
Where To Start
Here’s a short list of things I would consider to be key starting points within your own company. None of these are overtly technical, but the answers you get back should help get people thinking about how to secure your own company:
- Do we have multi-factor authentication enabled for our email and other accounts?
- Do we have anti-virus installed on all our endpoints? How do we monitor the scans?
- What does our training for phishing and social engineering look like? Is it annual, semi-annual, quarterly? Who gets trained?
- What protections have we enabled to prevent email spoofing from our own domain?
- Are we sharing accounts for any critical systems? If so, how do we know who accessed the account?
Hopefully this will give you a good starting point for some conversations within your own organization. If you show interest in these topics, it will have a trickle down effect on the rest of your employees, leading to a stronger security posture for your company.
At EliteSec, we would be more than happy to discuss this topic further and help you build out your own security posture for your company. Contact us today and we’ll have a candid discussion on what pragmatic solutions we can come up with for your unique needs.