Risk and Threat Mitigation Recommendations

Due to changes in technology, and the exponential growth of information collected, analyzed and stored, companies are finding themselves more susceptible to data breaches when the amount of data collected outpaces the ability to protect it. These breaches are not only costly from a financial standpoint, averaging over $4 million per incident, but are also harmful to a company’s reputation. In addition, privacy failures often trigger legal requirements, slowing down the business and creating enterprise-level headaches. External threats are often top-of-mind when executives search for root cause, placing focus on and investing in cybersecurity and hacker protection. While all along a major culprit is overlooked— their employees. Over the years, research suggests that employee errors account for nearly 60% of privacy failures. As IT/IS leaders, we are all responsible for keeping the organization’s digital information assets safe and secure. It should go without saying that protecting employees and client data should be a top priority for every organization.

As stated above, how security threats are managed will have an impact on everything from operations to reputation, and no one wants to be in a situation where no security plan is in place. If your business still doesn’t have a security plan drafted, here are some tips our Leigh Consultants recommend to our clients in order to create an effective plan. If you already have one - you are on the right track. However, don’t rest on your laurels: periodic assessment, review and stress testing is indispensable if you want to keep it effective and efficient.

Assess the current state of the security environment

It might sound obvious, but you would be surprised to know how many organizations start implementing a security plan without reviewing the policies that are already in place. It’s important to assess previous security strategies, their (un)effectiveness and the reasons why they were dropped. Was it a problem of implementation, lack of resources or maybe management negligence? Once you have reviewed former security strategies it is time to assess the current state of the security environment. Has it been maintained or are you facing an unattended system which needs basic infrastructure work? Are there any protocols already in place? How security-aware are your staff and colleagues?

Monitor networks

Network management, and particularly network monitoring, helps spotting slow or failing components that might jeopardize your system. A network must be able to collect, process and present data with information being analyzed on the current status and performance on the devices connected. If a detection system suspects a potential breach, it can send an email alert based on the type of activity it has identified. Configuration is key here: perimeter response can be notorious for generating false positives. Antivirus software can help monitor traffic and detect signs of malicious activity. These tools look for specific patterns such as byte sequences in network traffic or multiple login attempts.

Collaborate with colleagues and stakeholders

Talent can come from all types of backgrounds. Successful projects are practically always the result of effective teamwork where collaboration and communication are key factors. Invite users to be part of a design thinking approach that encourages a feedback loop opportunity to share insights on how security and training can be improved through continuous testing and training. Shared ownership on matters of security risk and threat can help IT/IS teams identify unique risk and threat scenarios only applicable to that organization. Incorporate a collaborative approach to the success of reduction of risks by rewarding behaviors that align with the organizational policies around security and be transparent about the impact these behaviors have on the overall organizational key performance indicators and the consequences if security risk isn’t considered as of paramount importance on both an organizational and individual basis.

Set security measures and controls

Once you have determined all the risks and vulnerabilities that can affect your security infrastructure, it’s time to look for the best solutions to contain them. Prevention, detection and response are the three golden words that should have a prominent position in your plan.

In the case of a cyber-attack, organizations need to have an effective response strategy in place. It should explain what to do, who to contact and how to prevent this from happening in the future. Keep good records and review them frequently.

Part of the IT/IS teams’ responsibilities is for keeping the data of employees, customers, and users safe and secure. It is important for IT/IS leaders to familiarize themselves with relevant data protection legislation and go beyond it - there are hefty penalties in place for failing to meet best practices if a breach does occur. While meeting the basic criteria will keep you compliant, going the extra mile will have the added benefit of enhancing your reputation and integrity among clients and colleagues. And again, if a breach does take place - at least you will be able to point to the robust prevention mechanisms that you have put in place.

Use spreadsheets or trackers that can help you with the recording of your security controls. Make them live documents that are easy to update, while always keeping records of past actions: don’t rewrite, archive. Ensure end-to-end security at every level of your organization and within every single department. Protect files (digital and physical) from unauthorized access. Create a data map which can help locate where and how files are stored, who has access to them and for how long they need to be kept. You might have been hoarding job applications for the past 10 years, but do you really need them - and is it legal to do so?  

In a mobile world where all of us access work email from our smartphones or tablets, setting ‘bring your own device’ policies are just as important as any other policies regulating your office activity. Depending on your sector you might want to focus your security plan on specific points. Whereas banking and financial services need an excellent defense against fraud, internet or ecommerce sites should be particularly careful with DDoS. Of course, a threat can take any shape. In any case, cybersecurity hygiene and a comprehensive anti-data breach policy is a must for all sectors.

Create a dynamic security culture

This is probably the most important step in your security plan as, after all, what’s the point of having the greatest strategy and all available resources if your team is not part of the picture?

As IT/IS leaders, it’s your duty to carry the security banner and make sure that everyone in your organization is well informed about it. Security starts with every single one of your employees - most data breaches and cybersecurity threats are the result of human error or neglect.

Make training available for all staff, organize refresh sessions, produce infographics and resources, and send regular emails with updates and reminders. There are options available for testing the security knowledge of your staff, too, such as fake phishing emails that will provide alerts if opened. Whereas you should be watching for hackers not infiltrating your system, a member of staff plugging a USB device found on the parking lot is equally as harmful. Emphasize the fact that security is everyone’s responsibility, and that carelessness can have devastating consequences, not only economical but also in terms of your business reputation. Data breaches are not fun and can affect millions of people. Securing the business and educating employees has been cited by several companies as a concern.

Awareness is the key!

Consider DevSecOps (Development, Security and Operations)

Whenever possible, take full advantage of the agility and responsiveness of a DevOps (Development and Operations) approach. As stated in previous blogs, IT security must also play an integrated role in the full cycle of your apps - after all, DevOps isn't just about development and operations teams.

DevSecOps (Development, Security and Operations) gets developers to think more about security principles and standards as well as giving them further ownership in deploying and monitoring their applications. It can also build security testing into your development process by making use of tools that can automate processes where possible. DevSecOps implies thinking about application and infrastructure security from the start.

Selecting the right tools to continuously integrate security can help meet your security goals, but effective DevOps security requires more than new tools - it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.

Review your budget

Yes, unsurprisingly money is a determining factor at the time of implementing your security plan. Whereas changing passwords or encrypting documents are free, investing in adequate hardware or switching IT support can affect your budget significantly.

Computer security software (e.g., anti-spyware, intrusion prevention system or anti-tamper software) are sometimes effective tools that you might need to consider at the time of drafting your budget. Prioritize: while antivirus software or firewalls are essential to every single organization that uses a computer, security information management (SIM) might not be relevant for a smaller business.

Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills.

Be transparent

Transparency is another crucial asset, and it helps towards building trust among your peers and stakeholders/users. Collaborating and taking a design thinking approach to delivery of a software/security solution can help put a secure plan in place while also meeting the security standards of the company.

And if you face a data breach or cyberattack, remember that transparency can never backfire. The best way to handle an incident is the more transparent you are, the more you can maintain a level of trust with your stakeholders.

Happy Security Month!

Dr. Ralph B. Manyara 

Head of Leigh Consulting - PMO and Cybersecurity services