Global spending on information security and risk management is forecasted to exceed $150 billion in 2021, so it’s clear that organizations know that security is vital. But how many keep up with the latest security practices and technologies?
Here are seven areas of security vulnerability that IT should focus on:
1. Develop a qualified security staff
Too often, sites rely on their network professionals to ensure and to monitor security. While this is a good practice, it makes sense to hire experts with specific expertise in security, or to train and certify a subset of your staff in security practices and techniques. The goal should be to create an end-to-end security defense and strategy and not a piecemeal security approach that addresses security on a network-by-network or system-by-system basis. This security strategy should look at all of the ways you could possibly be attacked and not just at reactive measures that contain an attack after it has happened so it won't happen again. Sites should also take ownership in a proactive way by defining their own security needs. This should go beyond what their vendors recommend.
2. Take social engineering seriously
Social engineering can be an amorphous term, but it comes down to ensuring that your employees across the company understand sound day-to-day security practices and that they practice them. This is especially important in edge computing environments, where users without IT backgrounds are asked to control technology in plants and remote offices. Malware, ransomware, and viruses are most likely to intrude from the edge, given the number of IoT and network entry points that abound there. One good way to address edge security is to install zero-trust networks that can detect any unauthorized access or installed devices that appear on a network, and then use automation to shut it down. Just as effective is a partnership between IT and HR that ensures that new hires and existing employees are given training in corporate security practices on an annual basis.
3. Keep pace with security technologies and software updates
Security software is continuously evolving to monitor and mitigate the diversity of new threats that emerge each day. System, network, and device manufacturers also continuously upgrade security. It’s easy to put off many of these new updates and feature installations, but in today's world of heightened security concerns, this practice is no longer affordable. CIOs should brief their boards and superiors on the importance of maintaining current security best practices. Budgeting for mission-critical security software should be on the forefront of everyone’s mind. Finally, IT should look for ways to automate and synchronize device security updates by adopting network “push” automation that pushes out security updates to devices automatically.
4. Use auditors proactively and more often
I’ve never met a CIO who relished IT audits, including myself. Nevertheless, IT security auditors can play an important role. They audit your systems for security, and they identify vulnerabilities. They also recommend security best practices and policies for you to adopt. Minimally, sites should perform annual IT security audits, using outside auditors. Preferably, sites should also conduct quarterly mini-audits that focus on a particular aspect of IT security such as social engineering or IT security policy reviews.
5. Vet your vendors’ security practices
Many organizations have moved critical applications and systems to the cloud, or they use SaaS-based applications in the cloud that the vendor maintains and secures. These same companies get victimized when there is a breach of the vendor’s systems and company data is exposed. This is why every company considering a new vendor should include as part of its RFP a thorough review of the vendor’s security practices. Companies should ask prospective vendors for their latest IT security audits. If a vendor is unable to provide a recent audit report, it is advisable to look for another vendor. Finally, after a contract is made, vendor security checks shouldn't stop. On an annual basis, the vendor’s security and practices should be reviewed. Minimally, these policies and practices should conform with your own. If there is a SaaS vendor that uses another vendor’s data center to host its systems, the hosting vendor’s security practices and policies should also be vetted. You should also be clear on where liability lies if the hosting data center that your vendor uses experiences a breach.
6. Review employee termination practices with HR
A major security exposure point for organizations occurs when employees are terminated. When termination is involuntary, there is greater risk that the terminated employee may try to compromise systems. IT and HR should meet annually to review the employee termination process. Is the employee immediately escorted out the door? Who checks to ensure that all IT equipment is turned in and that all system accesses are removed? If the employee is from IT, is there a procedure for ensuring that any possible “back door” accesses to systems are closed?
7. Brief your board
The more you keep your board and other C-level executives briefed on the current security environment and what you are doing to protect it, the greater their understanding of security’s importance and the necessity to plan for and fund it. The CIO should plan to deliver an annual security report to the board and to other executives, and to keep them briefed quarterly on all ongoing security activities and audits.
What to Read Next: