My father has always been a sage if wisdom throughout my life. One piece of advice he gave to help me focus and prioritize was “don’t worry about the things you can’t control and focus on what you can control”. This can be applied to many aspects of life, and I recently placed it in the context of cybersecurity. Too often we get caught up in what threat actors might do. We have no control over them. What we CAN control is how we mitigate and manage cybersecurity risks through people, process and technology.
People are often the first line of defense. Most malware and ransomware enter an environment as a payload contained in an email message and accessed by opening an attachment or by clicking on a link. Email phishing is also used to harvest sensitive information to assist a hacker in gaining system access and/or committing fraudulent activity such as initiating a wire transfer. Employees also have the responsibility of abiding by your password, clean desk and workstation locking policies (among others) and reporting the presence of those who seem out of place. A formal employee information security awareness training program delivered at least annually and reinforced with social engineering scenarios such as email phishing exercises will arm employees with the knowledge needed for frontline defense.
Process relates to having a thoroughly defined information security program that is documented in policy, procedure and employee use guidelines. The starting point is an information security risk assessment to identify threats, vulnerabilities and risks to the organization. The results of a risk assessment will identify the adequacy or absence of controls, populate or revise your policy documents and allow management to make risk based, prioritized decisions about information security efforts. This process should be repeated at least annually to reflect changes in the people, process and technology of your organization. A well-defined process provides a repeatable, measurable and defensible information security program that addresses both security and compliance with regulatory and/or industry mandates.
What technologies are deployed to mitigate the threats identified in your risk assessment? A multi-layered approach is a fundamental information security practice. Attackers like the path of least resistance so the more layers present, the harder it is for them. Defense in depth by itself is an entire blog post. Some technology layers to defend, detect and respond include firewalls, email and content filtering, IDS/IPS, data encryption in transit and at rest, IAM and SIEM. There is a growing new group of detection technologies that identify unusual user or data behavior that greatly reduces the time to detect malicious activity and allowing rapid containment and response.
By adopting prudent information practices aligned with the size, complexity and culture of your organization, you have positioned the people, process and technology to best defend your network and data.
Contact Security Compliance Associates today, schedule a free consultation, and begin securing your business.