In a fast-moving connected world, securing your organization’s information is more important than ever. It’s no longer enough to secure the perimeter and block access from the outside. Our operations are online, in the cloud, on the move in handheld devices and spread across a mobile workforce, as well as vendors, partners and clients.
Many IT professionals are responsible for protecting the confidential personal and business information of our employees, customers and affiliates. Technology, including requiring badges to access physical locations, insisting on strong passwords and implementing online firewalls is no longer enough to accomplish that goal. An organization’s people are often critical targets in a cyber attack. Today, cyber security must be built into the actions of an organization’s people. By changing people’s behaviors, as well as implementing strong technology safeguards, security becomes a part of all aspects of a company’s operations. Here are five steps to begin building cyber security into the very DNA of a business.
- Analyze. Scrutinize every aspect of your offline and online environment to identify your risks. Employees who fail to shred confidential documents, phishing attempts to trick employees into giving access to online information, or improperly configured web systems are just a few threats identified in the 2018 Data Breach Investigations Report by Verizon. If the idea of combing through every aspect of your operations for vulnerabilities is daunting, there are experts who will partner with you to ensure a thorough review.
- Prioritize. Once you know your areas of vulnerability, prioritize your greatest risks and identify the best ways to enhance your cyber security in those areas first. This step takes diligence and research. What worked yesterday may not provide sufficient protection tomorrow. Cybercriminals are using more sophisticated methods than ever to get to the information and systems you need to protect. They are using machine learning, AI and social engineering to discover and exploit new ways of accessing your confidential information. For example, ransomware wasn’t even on the radar five years ago. Today the Data Breach Report says it is the most common form of malware.
- Train. Educating employees and contractors – anyone with even peripheral access to your company’s data – is the foundation of any cyber security program. Continual training and education not only raises employee awareness of cyber security, but gives them the skills they need to understand and respond to cyber threats appropriately, regardless of their individual roles. Keeping data security top-of-mind requires a high level of continued awareness and reinforcement. At my company, we use every method we can think of – contests, videos with heroes and villains, postcards, even simulation exercises – to make sure everyone knows what’s at stake and keeps security at the forefront.
- Protect. What’s your company’s encryption strategy? Your data classification policy? Modern information protection policies can identify what data you have and use a risk-based approach to determine how it is managed. Depending on your risk profile, it may be something simple, such as guidelines for what can be shared and by whom. More advanced implementations can automatically tag documents, which in turn determine where information can flow inside and outside the organization, as well as identify and limit certain actions that do not meet the defined cyber security policies.
- Integrate: There are literally thousands of cyber security solutions available today. Sometimes, as a company attempts to address a vulnerability, their security ecosystem evolves over time into a patchwork of solutions. This in itself brings its own challenges of managing, maintaining and future-proofing the environment as business requirements change and new risks emerge. I have seen companies that are trying to update, manage and pay for up to 60 separate solutions in different parts of their operations. As you build your cyber security strategy, consider an integrated approach that is easier to maintain and provides the right level of integrated reporting and visibility on identified risks. Modern cyber security solutions don’t get in the way or interrupt workflow; they ensure robust protection without impacting users’ productivity.
There are many financial, regulatory, compliance and safety requirements that need to be addressed by an organization’s leadership. Modern cyber security solutions provide a foundation for cyber security needs and help ensure security is considered everyone’s responsibility. This will help to become part of an organization’s DNA.