Security isn’t just about the latest technical controls or the newest threat. Rani Johnson talks about two areas of security she thinks should get more emphasis.
If you walk the floors of most security conferences, you’ll get to see the latest technology from vendors in the space. You’ll see new tools and talk to people extolling the virtues of the latest security techniques. Sit in panels, and you’ll hear about current threat types, the latest technology (that may not be vendor-specific), and some operational challenges. These talks gather crowds—and get picked up in the press afterwards.
Yet, security isn’t just about the latest technical controls or the newest threat types. Today, I want to talk about two areas of security I think should get more emphasis—focusing on a smart, risk-based approach and the importance of practice.
Take a risk-based approach to help balance security and convenience.
If you’re an IT professional, priority number one is facilitating your organization’s day-to-day business operations. You need to keep the business secure, but you don’t want to slow productivity or put up needless obstacles for the sake of applying a security policy.
Not all assets require the same level of security. Instead of applying your security policies broadly, make sure most assets meet a minimal level of security, while adding higher levels of security for riskier assets and people.
Let’s say you’re deciding on how best to approach setting up access rights for employees. For instance, systems administrators have a high level of access to sensitive data and systems. You should put more safeguards on their accounts than, say, a graphic designer who doesn’t really work with sensitive data for the organization. For example, if a sysadmin logs in from home rather than the corporate network, you might want to require multifactor authentication (MFA) and possibly have them answer a security question in addition to providing their usual credentials. You might also add additional monitoring onto their accounts to make sure they don’t do anything illicit. If you apply the same level of security to the designer, you’ll just end up putting an anchor on their productivity and annoying them in the process.
Before you decide on a security strategy, start by mapping out all the assets you’ll need to manage and all user accounts you’ll need to create. Then, figure out what would be most attractive to cybercriminals if compromised, and add additional safety rails around those. By focusing on the areas with the greatest risk, you can reduce your data breach risk exposure while still enabling productivity across the organization.
Policy and training matter, but practice is what makes perfect.
Technical controls only take you so far. You need to pay attention to the human element as well. This means setting sound security policies and training both employees on the essentials like creating strong passwords, recognizing phishing
, and exercising caution around transferring data. However, training can’t stop with one or two sessions; people learn and change behavior based on repetition. This requires constant practice. Remember, you want to build a strong security culture for your organization.
Consider sending periodic email reminders to your organization reminding them of best security practices. For example, maybe one month you could remind them of the importance of password security, then the following month, you could point out the signs of potential phishing scams. This helps keep employees safe while also reinforcing your team’s value to the organization. You could even look for a phishing simulation solution to help send convincing, fake phishing emails to test people’s readiness and offer additional training to those who mistakenly click on them. However, if you do any testing or simulations, consult with legal counsel to make sure you have the appropriate forms and permissions from your employees and your organization.
It’s also important to make sure your team prepares for security incidents. You should start out by setting a strong incident response (IR) plan. When training your team, they should know what they’ll do during a security crisis, what roles they’ll play, and how they’ll communicate with each other and the wider organization.
Don’t stop there. You also want to practice and drill for these scenarios. In my experience, when people first face a new security challenge (or even their first security incident), they tend to freak out. Even if the incident is minor, new technicians can panic, slowing down response times and increasing the chances of making mistakes. If you want your team calm and clear-headed, run through incident response drills by simulating cyberattacks. Not only will this help your team during an actual crisis, you may spot holes in your current IR process. For example, you may find some team members need additional training or they may need additional technology to push out patches more quickly.
Are you forgetting something?
Sometimes, you can get so wrapped up in your day-to-day responsibilities that it’s easy to lose sight of some important elements of security. Don’t forget to focus on risk to help strike a balance between security and convenience. Additionally, make sure to periodically remind employees of security best practices, and drill your team on potential incidents before a crisis hits. These tips can help keep your employees safe and productive.