How much is your company’s reputation worth? The loss of your company’s reputation is likely the most serious risk to its existence. One incident can bleed clients and cause potential clients to scratch your company off their list entirely. Trust — if it can be regained at all — can take years. Just one data breach can drive a stake through the heart of your company. An astounding 60% of small businesses fail within six months of a hack. These included Code Space, a Software-as-a-service (SaaS) provider and MyBizHomepage, once valued at $100 million.
Even the biggest organizations can suffer from a massive data breach, as a recent compromise of Anthem Blue Cross attests. There are no silver bullets that will fully protect your company. However, there are some effective strategies that can markedly reduce your company’s risks. Here are five ways we recommend:
1. Hire a Chief Information Security Officer (CISO)
Most successful companies already have a security culture. However, this is often insufficient because it does little to promote enterprise security. Parts of your company aren’t necessarily sharing their best practices with other parts. Even if security practices are shared, there isn’t necessarily anyone setting the standards. If there is someone setting the standards, it may be just part of their job, instead of their primary focus. By hiring a Chief Information Security Officer (CISO), you empower a person to do this job across your entire enterprise. You are sending a signal that intelligently handling security is critical to your business.
Of course, hiring a CISO isn’t necessary for smaller businesses. Their choice is to assign accountability to the current employee in the best position to monitor security. It could be the head of IT or a department manager. The important consideration is that someone is responsible, even if they are simply the head of a committee that ultimately decides on a security strategy.
2. Create a work culture of trustworthy security practices
Technology is never going to be your security silver bullet. Security technology complements a security architecture where people, not machines, are at the center. Your employees comprise your biggest security risk and they probably always will be your biggest security risk.
An employee that has no ethical qualms about downloading music or movies using Bit Torrent while at work may not feel ethical qualms about sharing confidential company data either. This is why employee training for the purpose of developing a culture of safe security practices matter. It helps avoid the development of lax practices.
For employees responsible for handling sensitive data it is even more important to have stricter hiring practices. Even if you have a policy of hiring only employees that pass a background check, a basic security clearance is not that hard to get. A clearance only indicates that there are no obvious red flags.
- Has a prospective employee handled confidential data or large sums of money for many years successfully?
- Have they possessed advanced security clearances in the past?
- Are they ex-military?
Seeing one or more of these attributes in a prospective employee, as well as a clean background check, can increase your confidence that this employee will bring a security mentality into your company and behave ethically. Hiring practices that are mindful of signals of a conscientious employee will create a pervasive security culture.
3. Patch, but verify
While security technology is not a silver bullet, it is still essential. Your CISO should be working closely with your IT shop to ensure that your electronic perimeter is well guarded and your internal systems are up to date and patched regularly. Appropriate technologies that enhance security should be installed where needed and regularly upgraded. Occasionally an egregious security issue is discovered that requires deployment of an immediate patch, such as the 2014 Shellshock vulnerability. In general, it is better to follow a well-defined process for continuously improving security across your enterprise, rather than jumping at plugging every new security vulnerability reported on the Internet. This approach works much the way a flu shot protects you from likely flu strains, but not all flu strains. By quickly patching the security problem of the moment, you may be leaving yourself vulnerable to other less newsworthy vulnerabilities that should also be addressed, while adding unplanned complexity to your technology stack. Make sure a trusted and impartial authority recommends any patches that you do deploy and pay particular attention to their threat assessment. Such authorities might include your antivirus vendor or CERT.
4. Train and retrain for security regularly
Security is rarely exciting, until a security vulnerability occurs. Then it can become as exciting as jumping off a cliff. Successful security is actually measured by what does not happen. Employees can be expected to develop security tone-deafness. This is why successful companies require basic security training when an employee starts a job, and regular security recertification. For example, government agencies routinely require employees to take online training once a year that emphasizes facts they largely know, such as not to click on suspicious links in emails. While employees often think such annual training is patronizing, the point of recertification is to keep employees mindful and vigilant on security issues. It also gives management some confidence that employees have a basic understanding of security vulnerabilities and their role in preventing and controlling them.
5. Keep end user security simple
Creating a security culture requires not just education but following an intelligent security plan tailored for your company. Keep employee access to security information both centralized and simple. The addition of requiring a YubiKey before accessing a company computer is a simple yet effective way to add a layer of security. A help desk — often available on speed dial — typically is the first point of contact for potential security issues. There are other ways to make handling security issues easier. Perhaps your company’s security web page should be bookmarked automatically in all browsers used by your employees. Perhaps each computer monitor should have a red sticker with the phone number for the security team. A simple email address, like security@mycompany.com encourages security mindfulness and makes it easy to report incidents or ask questions. Even if most concerns turn out to be bogus, it is a small price to pay compared to a major data breach.