Running a business requires the collaborative effort of good leadership, effective teamwork, and flexibility to adapt to changes in a timely manner. It also requires planning to reach short term goals, as well as long term ones. When it comes to information security the same applies, especially with the creation of new technology that organizations are adopting and data going digital. The biggest issue with the transformation of how businesses now operate is security.
A perfect example is the cloud. Study after study has raised the concern that businesses aren’t integrating the use of cloud in their business due to concerns with data protection. The same problems arise with the use of mobile devices and with the Internet of Things. Even organizations who are putting off using the cloud or mobile devices for work aren’t really putting off anything when email is the primary method of communication; and even if a business is using faxes or printers, those devices are still vulnerable to intrusion.
The truth is that every organization has some digital component included in how it conducts business nowadays and using anti-virus programs or other types of security software may seem like enough, but it isn’t. When your employees are targets of phishing scams or when those employees who have privileged access to specific data are targeted by hackers, you have an issue. When software solutions give you false positives or when they are vulnerable themselves to intrusion, that’s even more problematic because now you have zero certainty if your security measures are effective.
Whether it’s a healthcare provider, a financial institution or a small business that we’re talking about, all face the same level of risk. The impact of breach is proportional to the size of the organization, but the financial blow is the same and can bring business to a halt. Not knowing how multi-faceted an organization’s vulnerabilities can be is just one of the issues. Another one is thinking your data is safe because you have a firewall and an anti-virus program.
Business executives need to come to terms with reality and realize that the same amount of time and in-depth approach they take to running their business is how they need to treat their risk management posture. Security executives need to get creative with how they present vulnerabilities to those executives. In addition to implementing compliance to pass audits, organizations need to evaluate their security posture as often as possible. You can’t expect to set up BYOD policies and procedures, for example, and think you’re done. Those same policies and procedures need to be reevaluated as new threats arise, as times change. Malware goes through continuous transformation, hackers study and learn how to bypass new security solutions that are created; there isn’t a stop button for the evolution of vulnerabilities.
When information security is implemented correctly, there is a foundation that covers the entire business process. You go from creating a business continuity plan, to updating software and patching, to performing external vulnerability assessments. However, this is just a start because even though you’ve got a solid foundation for what to do to protect your data, that risk management plan will require additional components at some point. Your business plan changes from time to time, the same goes for your information security plan.
Adapting to anything new takes time, but organizations can’t continue waiting for things to settle down when it comes to data security. The sooner businesses get started with a holistic risk management posture, the sooner businesses will be able to avoid missing a breach and finding themselves years later, wondering where the intrusion came from and how much data was taken.
Let’s talk about your information security needs, find out how solid of a foundation you already have and what needs to improve so that you can avoid false positives and blind spots.
Photo courtesy of watcharakun