For many years proactive security best practices in the business world have been viewed as equivalent to elective insurance options, with executives asking “Why would I waste money protecting against something that may never happen?”
However, the cyber landscape has changed. Let’s take that analogy a bit further to help understand the current environment.
In the past, a security breach may have been compared to a common cold. The common cold is annoying, may require a trip to the care clinic and a couple of days worth of antibiotics. On the other hand, it doesn’t really disrupt your life or prevent you from getting things done and is relatively inexpensive to treat.
In today’s world, a security breach is more like a major accident or serious illness. It requires a host of specialists to treat, can cost tens or hundreds of thousands of dollars to repair, and can take you out of commission for weeks or months. In that latter case, wouldn’t you have wanted to have preventative measures in place to limit the effects and reduce the costs to recover?
It has never been truer that an ounce of prevention is worth a pound of cure.
So if this analogy makes sense, why are so many organization still not putting any proactive security best practices in place? Many times a proactive security posture is thought of as overkill, with visions of multi-million dollar security operations centers, staffed 24x7x365 with skilled professionals using all of the latest technology and big data analytics to sniff out threats before they happen.
There are situations where that type of operation is necessary, but it is absolutely unnecessary in many instances. There are plenty of policies, procedures, and tools that can be implemented to provide a foundational security posture.
3 Questions to Start Providing a Proactive Security Posture
From simple technology such as anti-virus to standardized, regular patching procedures to employee access policies, every little bit can reduce the overall attack surface of your organization.
Here are a few simple questions you can start asking in order to understand what you need to protect in your hosted environment:
1. What am I Trying to Protect?
Just as with every core business need, you need to understand the goal that you are looking to accomplish. Identifying whether you need to protect your publicly facing web application, your personally identifiable information (PII) or your own intellectual property (or all of these).
This is critical to architecting the correct solution. Someone defacing your website can be just as damaging as stealing of IP from a reputation and monetary standpoint.
2. What are My Potential Vulnerability Points?
Understanding where potential threats can enter your system will give you a good starting point for what you need to address. While some items are obvious (the unprotected website that takes your customer’s orders), some are less so (unauthenticated remote staff access to backend systems).
Be sure to walk through all the business units and activities that have access to any critical systems.
3. Where am I Covered and Where Do I Need Additional Capabilities?
Once you identify what you’re trying to protect, you can assess what security best practices you already have in place and where you have needs. Implementing the wrong technology or building ineffective processes can be even worse than doing nothing at all. Thinking you are protected when you’re not can lead to unidentified and unaddressed persistent breaches.
That said, most compliance requirements are viewed as “checkbox” items so there is no vigilance around making sure tech is updated, policies are being followed and procedures are still relevant except during audit periods.
Taking at least the basic proactive measures to protect your critical information and infrastructure increases reliability and stability so that you can focus on your core business operations. It also protects your reputation within the market and with your customers.
Remember, your security best practices don’t have to focus on the fear, uncertainty, and doubt surrounding potential threats. How you plan and proactively guard against threats can make trust and clarity the tenants of your operations.
Above all, make sure your employees are well informed of the potential threats and the steps they can take to assist in security.