Generals always plan to fight the last war. While there isn't really an originator for this aphorism—it's been traced to two or three different sources at roughly the same time frame—it's a valuable piece of cautionary wisdom all the same. Many IT professionals in mid-market businesses find themselves in a similar position. In planning to meet their security needs, they often make those plans based on the “last war”, or what the hackers and other bad actors were doing that worked last time. In order to get anywhere, we need to get beyond the “last war” and get ready for the next.
How Do I Plan for the “Next War” in Security?
Survey the landscape
No plan worth making is made without knowing what's going on. Consider how your network is built, what kinds of security measures you're currently using, and what kinds of security measures you may want in place.
Are all your security efforts focused on perimeter defense? If so, consider data encryption to provide extra security in the event of a breach.
Has it been a while since you've last upgraded systems? Are you regularly keeping up with software patches? Understanding what you're doing right now will help you lay out your plan, knowing what you should include.
Set priorities early on
If everything is a priority, then nothing is. It will be vital to any future planning to set up priorities for defense. The best place to start considering what must be protected is the “crown jewels” of your company's data.
What must be protected at all costs? Is it customer data? Is it blueprints and patent documentation? Whatever it is, consider how you will protect that data first, and then move on to data that doesn't require so much protection.
By the time you've finished prioritizing, you'll have a better understanding of how to lay out your defensive systems.
Check your legal risks
Depending on your line of work, you may have certain legal requirements regarding data. Healthcare firms, for example, are governed by the Health Insurance Portability and Accountability Act (HIPAA) provisions that seek to protect patient data, while financial sector firms have a range of legal requirements to consider in not only keeping customer data safe but also releasing certain documentation in efforts to maintain transparency.
Granted, not every business has regulatory requirements attached to its everyday operations, but knowing just what regulators expect of firms in your industry may help shape your future planning.
Consider the threat from within
Your own employees may be the biggest threat to your company. Threats from your employees can be broken down into two basic categories: direct insider threats and inadvertent threats.
Block direct insider threats
It's a safe bet you haven't hired a hacker, though it's not outside the realm of possibility that someone may have taken a job with you just to get access to your valuable data. Employees require access to data; it's part of the job.
- If an employee decides to sell some of that data to make up for the raise he or she didn't get, it's hard to stop. What's more, a 2016 study found that one in five employees would be willing to sell login credentials, and nearly half—44%—would do so for less than $1,000.
- A hacker with genuine login credentials has direct access to everything that employee had access to, which means you need to be prepared on that front. It's another good case for encrypting data, making it useless to those outside the system.
Protect against the inadvertent threat
Even if your employees aren't willing to sell hackers login data for comparatively cheap, there are still plenty of threats that employees may not even know about.
- Have you trained your employees lately on the risks of opening email attachments? They're putting you at risk of phishing attacks. Does one of your employees think that “foursome” is a perfectly valid password because it has numbers, letters and is at least eight characters like the Pointy-Haired Boss once did in a Dilbert strip? That's an easy brute-force attack for a hacker; howsecureismypassword.net says “foursome” would take about five seconds to crack.
- Most inadvertent threats can be addressed with proper training, and there are software tools in some cases that can fill in the gaps. Password managers allow for passwords of nigh-uncrackable length and complexity, while remote wiping systems turn a lost laptop or smartphone into a largely useless device.
Build the plan to match
While security is a front-and-center concern for most companies, and mid-market companies need to be especially concerned, actually building the plan is where a lot of those efforts fall down. Just 45% of mid-market companies have a recently-updated defense plan, according to an NCMM study, and without a plan that reflects up-to-date concerns, all you're doing is, once again, preparing to fight the last war. This is the time when you take all those issues that you've identified in the previously-mentioned points and build your plan around them accordingly.
How Do I Get Started Setting Up These New Security Plans?
If you're ready to be proactive instead of reactive about security, then it's a good time to get in touch with us at UTG. We have a wide range of options available in both security and compliance, allowing us to stage a complete, holistic approach to your security needs. We don't stop at single-product solutions addressing one major problem that someone else already found; we focus on a strategic approach that helps you better plan for tomorrow's needs by addressing the entire system's concerns at once. So stop planning to fight the last war, and get ready for tomorrow's threats today.