Over the past few years there has been no shortage of news of a data breach or vulnerability. Each had major financial and reputational consequences. Each with its own way in.
It might seem impossible. As organization leaders or board members, how can you make sure your organization can escape the barrage of headlines bombarding the news? Who can you trust and what advice will be critical to avoid a devastating mistake?
One thing is clear: what most organizations have been doing is not good enough anymore. Attacks and breaches keep occurring. Cybercriminals are defining clear targets—as if they had better marketing strategies defining clearly each of their targets. They know your vulnerabilities and have vectors to break through those weaknesses.
Looking at this past month alone, there is no shortage of examples—how millions of records left visible, staff records from school districts all the way to major organizations, including many of which in healthcare. There is no shortage of criminal activity.
My message to you today: establishing and managing a strong cybersecurity posture—one that has advice from trained CISSP-certified experts to guide you and your team through the challenges in modern cybersecurity. Organizations large and small must know where their risks lie and be at the ready to address and constantly monitor these weaknesses.
How to construct an effective cybersecurity strategy?
Get buy-in across your organization—create awareness and agreement among your team. There will be specific technical and process considerations in establishing an effective strategy. Cybersecurity needs to be understood across your departments so that it can enable decisions along every echelon of your organization. Keeping everyone in the loop will make you more agile to assume an ever-changing cybersecurity strategy (which is how secure organizations are maintaining security best practices).
Pro Tip: Consider using outside resources to helping you design a security strategy. It is essential to get fresh eyes on your security and platforms—most people within your organization (even those that are involved in IT and IT security) won’t be able to see the forest from the trees. A good security consultant’s skills and knowledge can provide critical expertise, experience and context to ensure your organization’s security.
Once buy-in from your team is accomplished, you may think it’s time to start implementing and initiating security objective. First, take a step back. Make sure you’ve properly defined your organization’s security strategy. Sit down with leaders to understand what they do on a daily basis, what systems are used, where and what data is being stored, and what third parties your organization is dependent on for business continuity.
Get a full list of software—audit all of your network. At minimum, get a full view of what your team uses, who uses what, and how or whether platforms are regularly updated. This will take a chunk of time (it’s a huge undertaking). Remember that breaches happen because basic security (let me stress Basic here!) are missed. If you move ahead and implement a half-baked strategy that hasn’t been thought through, you likely are giving your team a false sense of security—one that may end up jeopardizing more than you’d ever imagine until it’s too late!
Pro Tip: Although your IT team may have a list of used software, it likely isn’t extensive. Some departments may have purchased software managed outside of your IT’s control. Some may actually use open source platforms they’ve downloaded or installed on their own. There are ways to audit every single piece of software, but it takes some technical wizardry. Cybersecurity consultants should be equipped to create an extensive evaluation of your network’s software landscape.
Understand changes from security may do to your organization—let me be clear—by implementing changes to security, you and your organization will have to assume some changes to your processes. There will be changes in how your processes work, which means your team may grumble and your IT team will experience increased support desk calls.
These are all temporary inconveniences. Your security strategy management should become part of your regular process evaluation. Take regular audits of software devices and risks. And if in the unfortunate event you do experience a breach, you should know the amount of work required to remediate an incident.
Pro Tip: on-going user education should be a critical component to your security strategy. Having your team understand what is going on and recognizing the context to the changes in their process flow has been helpful keeping teams vigilant and aware of why changes are essential.
