2015 was a big year for data breaches.
Ashley Madison’s takedown, the US Office of Personnel Management breach of millions of US government employees’ personnel records and the gigantic healthcare record theft from Anthem were just a few of the stories that captured international media attention.
The past twelve months have shown that it doesn’t matter how much companies spend on controls, if you’ve not pasted over all the cracks, determined hackers will find a way to breach the castle walls.
Here are a few suggestions of things you can do next year to bolster your organisation’s defences, fend of the attackers and make sure you aren’t in the headlines for being the next David Jones or Anthem.
Implement security standards
There are a lot of security guys that berate a security management approach, espousing the only way to be secure is to invest in technological defences. This may be partly true but you need to look at the big picture.
If you get executive buy-in to implement ISO 27001, you’ll have begun to build security awareness across the enterprise, combining people, process and technology, including the security management of facilities, suppliers and business continuity considerations.
Adoption of a standard doesn’t mean you are ignoring the technical weaknesses in your systems, but it does mean that you’ll be adopting a more structured approach to management of business risk, something that ultimately helps you get further investment in security controls based on a solid business justification.
Patch your systems and applications
Most organisations struggle with basic systems hygiene, keeping operating systems and applications patched up to date.
It’s also true that most successful attacks start with a simple phishing email that entices users to run malware that searches for vulnerabilities and which can be further exploited by the attacker.
If your systems and applications are always patched and up to date, a successful attack will be significantly harder to achieve, so consider re-prioritising patching as one of the most critically important security processes your organisation manages.
Build an effective team
If you don’t have a security team, start by creating a business case to build one and lobby senior management with the evidence of what it will bring to your organisation.
Security is a massively underestimated problem and requires specialist managers who have one foot in the technical world while the other firmly planted in the executive.
With new hires, look for certifications and relevant experience, but if in doubt, consult a professional body to make sure you understand the job roles you are hiring.
In the interview, cross check the candidate’s CV but also try to make sure the candidate understands what you need and they can actually do what you need – one man’s security architect is another man’s firewall engineer, but neither will be pulling well considered quantitative risk assessments out in their weekly operational presentations.
Make sure you define the roles properly and align with industry definitions.
Implement training and awareness
I’m sure you’ve heard it many times: security is everyone’s responsibility and people are the weakest link.
It’s true, uneducated staff will not consider security risks when going about their daily business unless you graft it to their DNA. The ISO 27001 standard doesn’t include a security awareness program as a mandatory control for no reason.
By teaching your staff about the risks and reinforcing positive security messaging through bulletins, ad-hoc chats, management town hall discussions, posters and lunch and learn sessions, you build a culture of awareness where staff will question everything that poses a risk.
Consider implementing a training program that provides expert security knowledge to staff who are not in the security team. If your network administration team understands how to keep your network security and your WinTel engineers understand the security aspects of group policy, they will make better decisions.
Test, test and test again
It’s unfortunate, but the threat landscape is forever changing so yesterday’s audit is out of date by the time you got into work this morning.
A mature approach to security is to employ a dedicated team of security penetration testers to continually work on locating and eradicating vulnerabilities in your people, processes and technology.
This is one of the least accepted approaches to the management of security within a business as is deemed too expensive and invasive.
However, there is no better way of keeping on top of the threats than making this someone’s fulltime job. They will locate the security weaknesses in your systems quicker and easier than attackers as they know your systems inside out.
This means you’ll have a remediation program in less time than the attackers take to start their initial reconnaissance.