Security is quickly becoming one of the top ways employees, partners, vendors, and customers use to evaluate an organization. People want reassurance that the company they plan to work with is secure. And if the company doesn’t measure up? Partners and vendors might take their business elsewhere, an employee might not accept a job, and a potential customer could disappear to find someone more reliable.
It’s an unfortunate truth: if you suddenly realize you don’t measure up, cybersecurity is not a quick or easy thing to fix. It’s important to start on this as early as possible, or risk falling behind with little chance to catch up.
Our last post discussed the ever-changing threat landscape, like data breaches, ransomware attacks and other threats. The world simply faces an endless horizon of never-ending cybersecurity changes and challenges. While that might seem overwhelming, it also presents a valuable opportunity for your business.
Companies today have no other option than to respond to the world as it exists, not as they would like it to be. The challenge is that the marketplace has an overwhelming number of available cybersecurity solutions. Businesses must ensure that what they deploy is tailored to their needs and keeps their organizations safe.
Unsurprisingly this isn’t a simple task. As counterintuitive as it sounds, part of a security framework includes maintaining a certain level of cyber risk. Truly eliminating every threat would mean your employees couldn’t log in to a website, for example. Security can’t be a hard and inflexible line, rather it should be the anchor that holds the whole ship in place against waves and moving tides.
Finding the Right Tools
For years, the security world has taken a “my way or the highway” approach to security. Now, a successful security posture requires redundancies, and the willingness and ability to meaningfully compromise. The biggest threat to any security framework is the behavior of the people implementing your practices, so you have to construct an approach that will be adopted and sustained over time.
Companies must find a happy medium with good security tactics, techniques, and procedures (TTPs) that minimize the negative impact on the end user and reduce unnecessary interactions, while also maximizing the level of protection possible. If it sounds tough, that’s because it is. But that’s also the case for your competitors. If you can get ahead, chances are it’ll be tough for others to catch up.
A common problem with security policies is that companies have burdened employees with regulations and requirements for too long. As a result, many employees found ways to skirt those mandates, putting their organizations at risk. And no, telling your employees “don’t do that” won’t work (believe us, we’ve all tried it).
Security professionals need to minimize the effort facing end users. The best way to minimize a team member’s fatigue is to streamline the requirements and ask less of the end user.
Building Organizational Security
An organization’s security is a lot like building a home. There is more than one way to build a home: You can build a structure on-site from the ground up, or you can build it in another location and then move it to the final site. Modular homes are gaining popularity partly because they allow construction companies to complete more work in advance. They build the structure elsewhere, transport it to its final location and fine-tune it to the specifications of the installation site.
SMBs should take a similar view of their security procedures. They don’t have to build a security framework from the ground up, but instead can lift best practices from guidelines and tailor-fit the structure to their own needs. The more the security team can do to tailor-fit a tool and educate team members on how to use it, the less the end user will have a chance to negatively impact success.
The old approach to organizational cybersecurity left room for over complication and multiple points of failure. Fortunately, with data behind nearly all motions of a business, you now have a range of powerful tools you can utilize to make life easier.
Harness the Power of Data
Harnessing the power of data comes down to using the right tools. Consider a tool like a password manager with two-factor authentication (2FA); this powerful combo makes it easier for end-users to manage their logins and increases cybersecurity.
Here’s an example: When you use a password manager, employees can’t easily memorize the actual password (please, quickly memorize xUBO83%Hlz*rR!), which means an employee is less likely to walk out the door with some login credentials, or accidentally divulge it to a malicious actor. The password manager will then store those credentials for the employee, so they are easily accessible throughout the day, reducing the risk of employees writing passwords down or storing them in unprotected databases. Take this a step further and implement two-factor authentication which requires an employee to validate their attempted log in so that the likelihood of a breach or unauthorized access attempt are drastically reduced.
With a system like this in place, all employees need to do is need to stay vigilant whenever they access the password manager. You’ve reduced their level of effort and increased your security with one tool.
Security Posture and Cybersecurity Risk Management
A security posture, as defined by the National Institute of Standards and Technology (NIST) is the status of an enterprise’s networks, information and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
The goal of any security posture is assessing the potential for risk and acting accordingly, considering the potential impact. In the case of our password manager + 2FA combo, you’ve just dramatically decreased a major risk to your business and improved your security posture.
These decisions always boil down to risk tolerance. Most of the time, cybersecurity risks fall into that difficult-to-assess category of “low probability, high impact”. When a security team reduces the impact of an event while only fractionally increasing its probability, they have done a service to their organization from a financial and process standpoint. This serves as a good reminder: no one can eliminate risk, we can only prepare for it and manage it.
A company can put the tools in place and ask end users to act, but in the security world governance – the process of validation to ensure teams are properly using tools and following procedures – is often overlooked. Governance of adherence to policies is the most important part of a company’s security posture; however, it’s all too often the one element that is skipped or overlooked in security and compliance.
A company should proactively and regularly discuss all the security tools it employs to protect its organization. Unless companies internally recognize and operationalize a process to check, validate, and reevaluate its security and compliance policies, they are missing a crucial step in the process. It’s a huge part of mitigating and managing risk.
With the advent of new technologies, the policies and processes organizations had in place two years ago may not be as effective as what we’re doing today. Frustrating? Yes, but it’s the reality.
Security professionals can put the tools in place, but that’s not enough. Governance is imperative to make sure the end users are using them properly and they are, in fact, working as envisioned.
How do we do that? Stay tuned for more.
In the meantime, if you want to see how Liongard can support your security efforts, check out our content hub!