Building a solid security program takes time. Every organization is different. It's very important to assess your technology, and consider both internal and external threats. An assessment will reveal vulnerabilities. The remediation process will help you take full advantage of your existing security assets and point you at any gaps that need filling. Even once your defenses are in place, vigilance is an ongoing requirement because new threats are emerging all the time.
In the face of our increasing reliance upon the cloud, and trends like BYOD, enterprise security is at greater risk than ever before. That's why Gartner is predicting that more than 50% of organizations will be engaging security services firms by 2018. Every business needs to have a security program in place. Here are four Es that can help guide you through the process: Evaluate, Establish, Educate, and Enforce.
You can't begin to create a security strategy until you have a clear, big picture view of where you stand. You need to conduct a complete security assessment, ideally by engaging a third-party expert that can give you an unbiased outside overview of your current systems and policies. The first time you do this it will be a major undertaking, but thereafter it should be a less burdensome recurring responsibility.
This evaluation should encompass all devices used in the business from desktop PCs and laptops, to smartphones and tablets. It needs to take into account your IT infrastructure, your networks, internally developed software and databases, and third-party systems and apps. Regulatory requirements must be taken into account, for example, HIPAA in the health care industry. It's important to identify compliance failures.
It will undoubtedly be necessary to establish and/or develop your information security program in the wake of your assessment. Every situation that could constitute a risk for the business must be catered for, from an established procedure for wiping company data and deleting user accounts when an employee leaves, to a detailed MDM (Mobile Device Management) policy to configure mobile devices on your network and safeguard your data.
A regular schedule of program and policy evaluation will be required to ensure that new technologies, software, and processes are catered for as they're introduced. It will also serve as a check that no superfluous policies are retained that may pertain to outdated technology or discontinued processes.
Creating a comprehensive set of policies is only the start. You'll have to educate and train employees if you expect those policies to be followed. Explain the underlying reasons, the potential risks, and the consequences of a breach. Proper training is an investment worth making and a necessary prerequisite for any enterprise security strategy to work effectively.
Proper training protects the organization from legal liability and enables management to hold staff accountable for their actions. You could have the best policy in the world, but a failure to educate your staff will render it useless.
It's not enough to create your program, develop policy and educate the staff, you need systems in place that allow you to monitor compliance. Employees that breach security procedures must be punished. Systems that fail to meet your security standards must be replaced. Only by closely observing your data flow in action can you understand how well your security strategy is working.
When new vulnerabilities are identified they must be flagged immediately. As your program and policies evolve there must be IT resources in place to measure and enforce. Many threats, particularly data breaches, are the result of internal actions, so you need systems and metrics in place to cover every conceivable angle of attack.
Take a long term view
You have to balance the investment against the risk of lost revenue and business, legal liability, and serious decline in customer and shareholder confidence. It's expensive to find, fix, and clean-up data breaches before you even begin to tackle the confidence issue.
While initial costs may seem high, once you have a solid security strategy in place and a schedule for ongoing monitoring and evaluation, maintenance needn't be expensive. Measured against the potential costs -- an average $3.5 million for companies in 2014 according to the Ponemon Institute -- the four Es of enterprise security look like a bargain.
About the Author
Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA with clients such as Smith & Wesson, Middlesex Savings Bank, Brown University and SMBs. You may reach her at [email protected]