Information security: Fundamentals first, then improve on the basics
“What can be done to improve security?” is among the most common questions I hear in conversations with corporate executives and information technology managers, and I’ve developed some key ideas in answer to that question. Two key phases — fundamentals first and improve on the basics — provide an outline for action as business leaders at companies of any size prepare to grapple with one of the most important demands in business today.
Organizations should first ensure they have achieved a “90% level” of security accomplishment before they dive too deep into the myriad “advanced security” products and solutions offered in the marketplace. Focus on these three areas first:
- Identify critical data. Doing so will shape your entire approach to security. Understand what your most important data is, what systems it resides in, and how those systems are accessed. You need to know all these things to know how to best protect it.
- Strengthen authentication. User identities are the literal keys to access your resources. Weak passwords and shared accounts are a very real security risk that should be addressed early. Leverage solutions that provide good password policies, self-service password reset, and multifactor authentication.
- Implement patching. Often overlooked is the importance of applying security updates in a timely manner. Attackers can take advantage of new vulnerabilities quicker than ever, so it is critical to deploy fixes just as quickly to close the window of opportunity. Use patch management solutions.
Improve on the basics
Once the core fundamentals of security are in place, you can begin to develop good practices to further mature your security posture.
- Evangelize security. Incorporate messaging about security awareness and best practices in your regular internal communications, which could include the company intranet, posters in the break room, or just weekly staff meetings. Avoid clichés and fearmongering, but provide advice on what to look for and what to do when something “isn’t right.” Consider engaging marketing and outside agencies for assistance.
- Encrypt data. Prevent unauthorized users from reading or changing company data by leveraging encryption both in transit (e.g., using secured transfer protocols such as “https” rather than “http”) and at rest (e.g., using tools such as BitLocker, which is included with Windows 10 Pro). A good encryption solution should be transparent to authorized users, improving security without burdening them with cumbersome processes.
- Leverage automation. Very often routine tasks are performed manually “because that’s how it’s always been done.” But these routine tasks consume human attention and are prone to mistakes, shortcuts, or unexpected changes over time. This makes it difficult to measure success, performance, and compliance with anticipated results. Automation saves time, improves consistency, and reduces the need for overprivileged access — all of which directly improve security.
- Monitor systems. Take a proactive approach to detect risks before they become disasters. Attackers are generally attempting to steal data, not disable systems. It will be far too late if the strategy is to wait for a service to fail before investigating any problems. Aggregate alerts and warnings into a centralized IT service management system that can assign and track progress on investigation and remediation.
What to do now
To effectively make progress on improving security, you need a tangible plan. Assign individuals to create a backlog of security-related tasks and start scheduling implementation. Approach this process as a project: set goals and timelines, and allocate the resources, time, and money to get it done.
It’s important to gather representatives from across the organization to discuss the current state, concerns, and goals. In our experience, it’s especially useful to frame those conversations with the NIST Cybersecurity Framework (CSF). (NIST stands for National Institute of Standards and Technology, which is part of the U.S. Department of Commerce.)
A framework such as the NIST Cybersecurity Framework provides a structure for evaluating both technology and business processes. In that evaluation, apply scoring to determine your organization’s current maturity level across a range of critical security areas. Then, use those results to determine both guiding strategies and tactical steps to begin immediately.
By applying a framework — and ensuring fundamentals are well established before moving on to more advanced solutions — you can help ensure your organization is protecting sensitive data.
Shannon Fritz is solution architect, cloud datacenter, at technology consulting firm Concurrency Inc.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.