Last year was a bad year for cybersecurity. Remember the Equifax breach? Wannacry? And more phishing attacks to count? Breaches have gotten bigger, hackers have gotten smarter, and security teams and budgets are struggling to keep up.
We’re only into the first quarter of 2018, and already we’re seeing new hardware vulnerabilities emerge with Meltdown and Spectre. Like a virus evolving to survive antibiotics, hackers are evolving their techniques to get past current security measures.
If you’re a CEO, gone are the days you can take a “set it and forget it” approach to IT security. CEOs must understand that security is now a constantly evolving area that requires a strong foundation and a wide range of resources to address the day-to-day issues that do arise for all organizations.
Managing risk appropriately requires dedication on several fronts. If you’re a CEO, how do you take appropriate steps to make sure your people and data are protected? Here’s where I’d start:
1. Make sure the basics are covered
Start with a solid foundation and process-driven maintenance. It seems obvious, but it’s amazing how often this isn’t done. Specifically:
- Keep systems patched to minimize security holes
- Perform routine vulnerability scans to manage identified risks appropriately
- Ensure your security systems/appliances are continually updated
- Segment the network and only allow traffic between networks that are needed
- Protect administrator credentials with vigor
2. Keep systems accessible only to users that require access
Not everyone should have access to everything. Again, this seems basic, but many companies don’t take the time to assign rights to only those who need to know. As a result, they find themselves under attack after someone inadvertently clicked a link they shouldn’t have. These types of issues don’t even require administrator-level access and could be impossible to trace if exploited. Limiting access will minimize attack vectors. Specifically:
- Separate user accounts and administrator accounts
- Minimize the use of administrator accounts
- Don’t give users local administrator access
- Minimize potential damage if an account is compromised
3. Keep the Business in the loop
As George Bernard Shaw said, “The single biggest problem in communication is the illusion that it has taken place.” IT and non-IT business sectors sometimes don’t communicate as often or clearly as they should. When it comes to something as critical as protection, make sure someone in IT keeps the business informed of current security threats so the risks can be managed appropriately. That being said, bridging the gap between business and IT is a two-way street. The business also needs to tell IT what the most important assets are to protect – IT shouldn’t make those decisions in a bubble.
If you’re interested in learning more about our approach to cybersecurity for midsize businesses, contact us to connect with our team. You can also take advantage of our special offer – SCORE – a data-driven approach to threat-based assessment to show you how well your organization’s most valuable assets are protected.