In this day and age of omnipresent information security threats, it is critical that organizations know themselves.
And by knowing yourself, I mean having a thorough understanding and control of your organization's security posture from a technical and operational perspective.
From a technical perspective, do you have a detailed understanding of your technical architecture – from hardware to configuration and customization? Do you have a robust set of security tools in place, including vulnerability scanning software and endpoint protection?
On the operational side of the equation, have you clearly defined roles and responsibilities for information security within your organization? Have you demonstrated an organizational commitment to protecting your reputation and information assets?
Know or be known
Absent these data security best practices, your organization will find itself exposed to a variety of unwanted threats. In other words, you will be known by malicious actors as easy prey; your customers as lax with their information; regulators as non-compliant with information security laws; your stakeholders as being incompetent; and the public as being untrustworthy with customer information.
None of these situations are desired, but rest assured they are a very present reality for organizations today. Most organizations never find the time or resources to address information security until after there is a breach – after your organization has paid the financial and reputational costs of a weak security posture.
What most organizations don't realize is that proactive information security is far less expensive than the buckets of funds spent by organizations that find themselves in firefighting mode after being breached.
What follows are some creative ways to scope your organization's information security posture, but, remember, it all begins with knowing thyself:
- Understand your current posture. To move forward with improvements, it takes a little front end organization so you can determine exactly where your organization stands. This can be achieved by ensuring that the appropriate team members and decision makers are involved, collecting any and all data, and assessing existing security measures and threats. Think of this as putting your best foot forward for the task at hand.
- Determine the level of sensitivity of the information that you store. What kinds of information do you store? It's likely your organization can classify the confidentiality or sensitivity of the data you hold, and handle it accordingly. In doing so, you will be able to identify and control the information that needs the most layers of protection. Better yet, make a determination as to whether or not the data is necessary for business activities, particularly if it is personally identifiable information (PII) or protected health information (PHI). If it is not necessary to your business operations, why carry the additional risk of storing it?
- Take stock of your organizational security capabilities. What security capabilities do you have in house? What are your policies and procedures? Do you train employees to understand their role in maintaining data security? A security assessment will help you to determine what you aren't doing, and areas where it may make sense to seek help from outside third-party vendors.
- Take the steps necessary to demonstrate your diligence around your custodial information responsibilities. Once you fully understand your current security posture and all that entails, you'll need to test it to make sure you're doing all that is necessary to secure data. This might fall under the guise of compliance or IT assessments, including full vulnerability assessment, wireless assessments, and penetration testing. Depending upon the nature of your business, it might make sense to consider social engineering tests to see if data can be gleaned through various pretexting means.
- Start the remediation process immediately. Having begun to identify the steps you can take to improve your security posture, it is critical that you don't waste any time taking action. Assign owners to tasks, define timelines and hold people accountable for delivering on time. Once you know yourself…you need to fix yourself!
Confronting your information security “skeletons in the closet” likely sounds incredibly daunting, but take solace in the fact that extra effort will save you the emotional and financial headaches associated with a network incident. That's the kind of savings you just can't put a price on.
Daniel Creedon is a managing director with Kroll Advisory Solutions Cyber Investigations practice based in Philadelphia.