Below is the sixth and final post in a security-focused series written by Flexential's CISO Annalea Ilg. Be sure to check out her earlier posts, “Security Starts at the Top,” “4 Reasons Why You Could Get Hacked,” “Assessing Security Risk at the Intersection of Assets, Threats and Vulnerabilities,” and “Do you know your cybersecurity risk profile?” and “Essential Security Controls.”
Every executive and IT leader knows the importance of having security in place across the organization to ensure valuable data and information remains protected. Why then are so many organizations facing breaches?
Putting the right security solution in place is easier said than done. And just when you put a solution in place, the threat landscape changes, regulations change or your organization’s needs change.
There are a number of different solutions available on the market and companies should consider each differently depending on their specific security needs. For example, some companies have a greater need to stay compliant with industry regulations (such as HIPAA and PCI), while others may find themselves already compromised. Some might be proactively thinking ahead to ensure they’re prepared for a potential breach. Did you know that today it’s not about if you’ll be attacked, or even when you’ll be attacked? Today you need to be ready to be successfully prepared during an attack.
No matter what your company’s specific security needs are, finding the best security approach to address those needs shouldn’t be a daunting process if you keep key security best practices in mind. A few are listed below, and you can find more in our white paper on “How to Protect Your Business in an Insecure World.”
Don’t Store and Handle Sensitive Data – Unless You Have To
One of the easiest ways to minimize security risks is to get rid of the data if you don’t need it. However, this may not always be possible. This is especially true with legacy applications, where it can take some time to segment or remove data. Also, many companies aren’t familiar with how long they need to keep data from a retention period standpoint. If this is the case, network monitoring tools can help companies figure out what data they can remove and when.
Hire or Build an Internal Security Team
Even with the most sophisticated network monitoring tools available, some companies still find it difficult to keep up with the sheer volume of logs that come in. Hiring or building an internal security team that is responsible for monitoring the network’s data will greatly enhance the protection of your company’s vital information.
Augment Staff with Professional Services
For some companies with smaller IT teams, it may be a good idea to augment your staff with a professional security services team. However, only you know the amount of security risks and what type of data that your organization may have. For this reason, it makes sense in some cases to only work with a professional security services team when a security event arises, or if your needs require you to permanently keep a professional team on site. In that case, you should consider having an incident response and forensics team on retainer. It might be difficult to add a line item in the budget for this, but in the long run it will be more cost-effective than trying to get help after you’ve been attacked. And, it will help you restore your operations more quickly.
Partner with a Secure Managed Hosting Provider
For companies that want to run their business and drive revenue without having to worry about maintaining their IT environments, partnering with a secure managed hosting provider makes good business sense. Not all managed hosting providers are the same, and that’s okay – there is a fit for every type of business. But no matter who you choose to work with, make sure to ask the provider about its security posture and if they can provide you with the essential security controls you need for your environment (read more about security controls in my previous blog post in this series). You should also confirm that your provider can deliver audit reports and figure out what solutions they provide that you’d rather self-manage or have them manage for you.
Employ Hybrid Strategies
Hybrid strategies combine safety, security and compliance solutions to get the flexibility you need for your business. With cloud services built on a trusted foundation, you can provision new workloads or move existing workloads between data centers, or from internal private clouds to the public cloud and back again as needed, creating a true hybrid cloud.
Regardless of the security approach you choose for your organization, remember that it’s all about deciding what your business can afford and what you can afford to lose.
I hope this blog series covering several aspects of improving your security posture has been helpful. Comment below with any questions or if you have other topics you’d like me or my colleagues at Flexential's to cover in future blog posts.