No organization is immune to the threat of security breaches. With cybercrime activity increasing rapidly across the globe, every organization needs to address the potential risks to better protect its systems and sensitive data. It is a complex challenge, however, because organizations must vigilantly monitor and minimize the risks on many fronts and provide protection from cyber criminals, technology innovation, human error, and even natural disasters.
Cybersecurity is now an enterprise-wide concern that deserves c-suite attention. Cyber risk is listed as the number two issue of the nation’s top CFOs for 2016. I have prepared a high level checklist with questions for executives that want to ensure their organizations are well-protected from cyber threats.
Cybersecurity key risk areas: Human Factor, Access Management, Security Policies and Procedures, Network Security, Operating System and Application Security, Data Encryption, Third Party Relationships, and Disaster Recovery.
- Human Factor: Do your employees understand the importance of their role in protecting the organization?
Human error and oversight are the most common causes of security breaches. If your employees are not adequately trained, they can expose your organization to breaches by malicious attacks, phishing, scams, and even disgruntled employees. To minimize the risk of vulnerabilities caused by current or past employees, education is the key. Provide cybersecurity training to ensure everyone in your organization knows their role in protecting the organization. Training employees on cybersecurity and data protection procedures helps them be more careful, more vigilant and know the right procedures to take to protect the organization’s IT assets.
- Access Management: Who has access to your systems? Is your organization managing this carefully?
Keeping track of the users that access your systems is critical to minimizing the risk and impact of a security breach. It is important to enforce regular password changes for these users. Business systems are interconnected in ways that were difficult to imagine or predict even a few years ago - requiring a thoughtful and detailed approach to access policies, procedure and management to protect sensitive data.
- Security Policies and Procedures: Do you have a plan to protect your organization? If a breach happens, do you have a recovery plan?
Security breaches don’t just affect your IT organization. If your systems and critical data are compromised, it puts the entire organization in danger of interrupted business, lost customers, and even personal liability. If you have weak or non-existent security policies and procedures, there is no basis for accountability. Don’t settle for basic templates to establish security policies and guidelines. Your organization needs to define actionable plans and procedures that address your unique situation and needs.
- Network Security: Is your network susceptible or vulnerable to security threats? Do you run vulnerability scans or penetration tests? What about your hardware – is it configured to provide protection and are these configurations up-to-date?
Both the Internet-facing and internal portions of your network are targets for criminals that see your systems as ‘attack surface’ that, when breached, will lead to your valuable data. Vulnerability scans are a first step, but they don’t tell the whole story. They often result in false positives and create many alerts that are not actionable. Organizations need to have routine third-party penetration tests conducted on both the external and internal networks. Have specialists test your network the way hackers do – aggressively, creatively and persistently. Then prioritize your action plan and make the right changes.
- Operating System and Application Security: Are you installing the patches that are critical to the security of the software your organization relies on?
New vulnerabilities are discovered every day in applications and operating systems. Vendors distribute patches for these vulnerabilities as they become aware of them and can repair their code. Keeping everything updated with the latest protections in place is necessary to defend your organization from attack. With internal, custom applications you are not able to take advantage of the vulnerability lifecycle. It is up to you to have experienced security researchers find vulnerabilities in your software in order to make repairs. In situations where it is not feasible to fix vulnerabilities, knowledge of those weaknesses allows you to structure your network and layer protections around your weak points, to more effectively protect your data.
- Data Encryption: Do you know what data is being encrypted to protect it from security breach? Is the right data being encrypted?
With regulations and best practices rapidly broadening the scope of what data must be encrypted, organizations face the challenge to understand what needs encrypting. Mobile access to systems is driving more data to reside on those devices and outside the protection of central servers and encryption. Data encryption must be addressed when data is at rest on a system, as well as in transit between systems.
- Third Party Relationships: Do your vendor and business partners meet your security standards?
Over 60% of data breaches have been linked to a third party vendor. When outside partners and vendors connect to critical systems through your supply chain and other business-to-business relationships, it increases the security risks in your systems. Their security weaknesses now may be your security weaknesses, if the attack surface you have exposed is vulnerable. Third parties that interact with your systems must have security practices that meet or exceed your own for the data that is important to you. Monitoring these vendors can be challenging and time consuming. Find the right expertise to help you manage this significant security risk.
- Disaster Recovery: Does your organization plan for the worst? Where do your backups reside? Did you know that your backup data can be a prime target for attackers?
In the face of a crisis, you must take a proactive approach to protect your IT environment and minimize data loss and damage. Often, the security of a disaster recovery environment is not as secure as your production site. Backing up your data without carefully considering how that backup is transmitted, stored, and recovered often exposes your data to additional vulnerability. If a negative event does happen, in addition to restore and recovery actions, incident response plans are needed to determine why the outage occurred. This allows for precautions to be taken against future risk.
Cybersecurity affects every level of the organization. With the inherent risks, every executive needs to prioritize protecting sensitive data, customer information, network operations, competitive secrets and business continuity.
To learn more about how your organization can become more secure against cyber threats, feel free to contact me. I also welcome your comments and questions below.
For weekly insights into cybersecurity, please sign up here: