Below is the first post in a security-focused series written by Flexential CISO Annalea Ilg. Subscribe to this blog to ensure you receive the next blog posts in this series, which cover risk assessment, security controls, security best practices and other topics to help you improve your security posture.
Security breaches are in the headlines every week because of simple vulnerabilities that can be compromised. Agreed that attackers are very skilled, but in most cases companies are making it too easy for attackers to gain access.
Breach notifications have helped companies understand the reality of poor security measures, but it is too easy for a security roadmap and improvements to be deprioritized until a company falls victim to an attack. Companies are struggling with their own day-to-day operations and security is second – or even tenth – in line by priority. Protecting your organization needs to be prioritized and included in the budget. It needs to be discussed at the executive level and assessed.
A security strategy needs to align with the business strategy. It needs to be a foundational component of planning, projects, products and culture. A security strategy can start at identifying the need for a risk assessment, or it could set out to address improvements that are necessary once your organization knows its risks. Once a strategy is aligned, understanding the requirements and budget needed to protect the assets is critical. A security initiative won’t move forward without executive buy-in, diligence, assessment and budget allocation.
For more details about the security landscape, why security programs fail and how to get started and maintain a mature security posture, click here to see the recording of our IT Transformation through Security webinar.
Every Company is at Risk
Whether your company handles sensitive data or not, a security breach still can cause dire consequences.
One of the first security rules I learned was, “If you don’t need the data, don’t store it.” (Comment below if you can think of other similar security axioms.)
That rule still holds true. However, some companies feel they are not at risk because they aren’t storing data. The truth is, your company is at risk whether you store data or not.
Attackers love companies that don’t feel they are at risk. These companies don’t patch, they don’t have monitoring and they definitely don’t evaluate firewall rules and log monitoring activity. In general they aren’t paying attention. Attackers use these companies as a stepping stone to catch the bigger fish (aka third parties) or attack just because they can. No matter the size, an attack causes problems and costs big dollars to correct. We highlight just a few statistics related to cybersecurity risk in this infographic.
More than Privacy Breaches
Many companies narrowly think of security in terms of having information stolen or being extorted as a result of a ransomware attack. But what if cybercriminals are using your environment in a silent mode, taking advantage of storage for illegal activity or using your company as part of a bigger attack? Everyone has a secret sauce and everyone needs to keep their data available and secure.
I alluded to it here, but in my next post I’ll address the various potential reasons behind an attack. In the security support we provide to clients each day, oftentimes they want to know why they were attacked. After that, I’ll share my thoughts around assessing your risks and beginning to develop a security strategy. Stay tuned for those posts – subscribe to this blog to receive a notification when they are posted.
In the meantime, share your comments and war stories. Do you agree that most organizations are thinking narrowly about security? Has your organization experienced problems that perhaps didn’t result in a full-blown disaster but certainly caused headaches?