Reducing InfoSec Threats Takes a Village
Cybercrime is a growing threat to corporations, governmental agencies and individuals throughout the world. In 2021 alone we’ve seen data breaches impact many Fortune 500 companies. Chief executive officers and chief technology officers know this is a potentially existential threat both for their companies and for them professionally.
As a result, executives are looking to their IT and security leadership for answers. Those charged with securing a company’s technology infrastructure and data must be well-versed in every conceivable security issue and potential threat that could harm the organization. Breaches might impact employees, clients, partners and customers—and everyone they come into contact with—by exposing precious sensitive data, personally identifiable information (PII) and more.
But it’s not solely the responsibility of the information security team; the entire C-suite and all the company’s employees must be involved in information security and cybersecurity—it takes the entire company ‘village’ to ensure security. Based on years of experience in the field, I recommend taking these four steps to protect your company, both now and in the future.
Secure Senior Executive Support
C-level executives must be part of corporate security planning. It starts with the senior information security leadership, which must provide an accurate risk picture of the current corporate environment without using hyperbole and exaggeration. The challenge is to build a pragmatic ROI business case that will be accepted by the C-level team. While the IT team and the InfoSec team must be mutually supporting partners, maintaining a healthy separation of duties is an industry best practice to ensure the information security risk picture is not distorted as it is presented at the senior level.
Assess all Vulnerabilities and Threats
It’s difficult to fix something when you don’t know where the problem lies. The most popular way to calculate risk is by using this equation: Threats + vulnerabilities=risks. Once you understand the challenges, you can develop a strategy to address areas of vulnerability. Any good penetration tester or white hat hacker can address your vulnerabilities with a risk-based approach from the outside in. Rarely is a major security event caused by a zero-day; meaning a flaw in IT software or hardware that was not previously known. Some of the most serious data security breaches involved vulnerabilities that were known about for well over a year.
Other major breaches are the result of an inside job. For example, in contact centers, agent fraud is a big challenge. In fact, research firm Frost & Sullivan points out in its report, Engineering a Culture of Security Consciousness in Customer Service, that “agent fraud, within captive or outsourced contact centers, represents the most significant threat,” as employees can gain unauthorized access to private data even when there’s not a need to know.
Therefore, it is critical for companies to not only assess their IT infrastructure and software for vulnerabilities but also evaluate their business processes to eliminate risk. A classic example is to eliminate the need for a business-to-customer agent to hear or process payment information by engineering it out of the service delivery process.
Build a Plan of Attack
A few years ago, Ginni Rometty, former CEO and president of IBM, bluntly stated that “Cybercrime is the greatest threat to every company in the world.” To reduce security risks, companies must build a strategy to address their vulnerabilities and ensure they are investing in the right technologies to address the threat.
Aligning to industry best practices and standards provides a great frame of reference when building this strategy. Prioritize adherence to standards like ISO/IEC 27000, NIST-SP, COBIT, HITRUST CFS and CIS controls to start with.
Never Let Your Guard Down
Preventing security attacks on your company’s network is a 24x7x365 job. It’s the IT leader’s obligation to stay one step ahead of cybercriminals and to create, implement, reinforce and constantly update best practices to prevent breaches. Additionally, it’s critical to educate your employees about the latest security measures. As penetration testers and white hat hackers will tell you, most successful cyberattacks require your employees to make a mistake—so adopting a policy of continuous learning will help strengthen your company’s defenses.
Commit to Information Security
Many large, global companies have had highly publicized security breaches in the past few years, earning more than their fair share of negative headlines. High-profile incidents can damage a company’s reputation, result in financial loss, and even lead to legal liabilities. Dedicating the necessary resources to a comprehensive security program is the best way to protect your employees, customers, partners and company from those who aim to do harm.