By Josh King
Today’s security threats are more complex, more frequent and more dangerous than ever – and finding the right tools to combat them can seem overwhelming.
Choosing the right security tool is challenging because attacks can take so many forms. They might begin with an innocent-looking email that tricks an employee into giving up their access credentials. They could start with a user clicking on a malicious website and downloading malware that triggers a ransomware attack. Or, they might be triggered by a hacker hiding a link to malicious code in the comment section on your blog, putting every future user’s data at risk without your knowledge.
Assuring you’re protected is even harder because the threat landscape changes with every new business partner you share data with, every new mobile application or website you roll out, and every new customer who requires you to meet their security standards to do business with them.
With all this complexity, it’s easy to focus on the wrong threats while ignoring the security capabilities you really need. To get the most effective protection at the lowest cost, it’s essential to thoroughly assess these five aspects of your business before choosing among security tools.
With that said here are five tips for navigating for what I call “The Security Maze.”
- Your business services. These are the everyday processes — think order entry, credit checking, inventory replenishment or customer service – that run your business. They are supported by IT services such as applications, networks and disaster recovery. By focusing your security assessment on your business services (rather than your IT) you’re more likely to identify all the underlying “plumbing” that must be secured to protect the functions on which your business depends.
- Your data. Data – whether it’s your customer list, proprietary research, or future product plans — is your biggest asset. Its loss can also cause your biggest financial losses, embarrassing headlines, and regulatory fines. To focus your security spend on your most critical data, you need to identify:
- The nature of the data and how much its loss could cost. For example: “If a competitor had access to our proprietary manufacturing processes, it could wipe out our cost advantage, costing us $400,000 a year in reduced margins.”
- Where the data is stored now and in the future: “We’re considering moving our manufacturing records from our in-house ERP system to a cloud-based platform. How would this affect our security?”
- The upside of securing the data, not just the downside of losing it. What’s the financial benefit from understanding your customers’ needs before your competitors, or the brand value of customers’ trusting you with their data?
- Your internal and external users. Do your users access your systems and data through on-site desktops under your control, or (more likely) through notebooks in coffee shops or their personal tablet over their home WiFi network? These real-world access methods are the attack “vectors” you need to protect the most. You also need to understand which users access which data so you can tailor their protection to their roles, and how those roles contribute to the bottom line.
- Your existing security tools. All your security tools – even those as mundane as antivirus or firewalls – must share data with other tools to uncover the patterns that signal an attack. Understanding which existing tools you will keep, and how easily they can share data such as logs and alerts, will help you know what interoperability features to look for in your new solutions.
- Your worst nightmares. The “worst case” security breach is different for every business. For a medical device provider, it might be a hack of a drug pump or a pacemaker that puts patients’ lives at risk. For a social media site, it might be the theft of member data or its use (as in the case of Facebook) by unauthorized third parties. As you prioritize these threats, do your best to assign even an approximate price tag to them. That will help you set, and defend, your security budget.
Josh King, Director, Security Solutions, Carousel Industries