Taking care of employees is crucial for attracting and retaining top-tier talent. A progressive company culture, competitive salaries, and traditional benefits will always be a strong foundation for a...
Fraud & Cyber Security
|
8 min read
Ten Low Cost Ways to Reduce Your Security Risk
Protecting your organization is expensive. Leaders are encouraged and sometimes even compelled to provide additional resources to counter threats. As the cost of data breaches rise, regulators and your customers and business partners demand you to protect data you control. In turn, you require your vendors to protect your data. Is substantial investment sustainable and the only response to growing information security risk?
While ongoing investment is necessary and prudent, focusing on foundational controls may help lower your risk with very little cost. This article will highlight ten cost-conscious security controls you may implement without breaking your budget. While the scope and depth will vary, implementing foundation controls may help protect all businesses. Let’s begin with one the most important security controls.
1. Enforce least privilege
In all cases, employees should have only the minimum access to perform their duties. This includes leaders, managers, and especially system administrators with privileged access. Decisions to permit access to sensitive information, data, systems, software, and applications should be based on a defined business need; not by title or perceived need. For example, a manager may only require permissions to read sensitive data. Managers should periodically review access and make adjustments.
2. Separate duties
Separating duties helps prevent an individual from intentionally or unintentionally damaging your organization without collusion. For example, another qualified employee should review and approve changes to critical systems. In addition, administrators should not have permissions to disable audit functions or edit security logs. Separation of duties may also ensure one person does not have full autonomy throughout a business process.
3. Implement an incident response plan
Leaders should plan to succeed by implementing and testing a security incident response plan. Your organization should assemble key leaders and stakeholders well before the inevitable security incident occurs. Hosting internal planning sessions and table top exercises may highlight shortfalls and allow the organization to detect, respond, and recover from intentional or unintentional incidents.
4. Recognize positive behavior
An organization with a culture of security awareness should recognize employees who identify security threats, vulnerabilities, and violations. Leaders should encourage employees to identify risks before an attacker exploits a vulnerability. Recognizing employees for their contribution promotes a shared responsibility mindset.
5. Address negative behavior
Leaders should immediately address security violations. Security policy and standards should be uniformly known and non-selectively enforced throughout the organization. Depending on the violation’s impact, leaders should consider the full range of actions, including termination of employment.
Leaders should immediately address security violations. Security policy and standards should be uniformly known and non-selectively enforced throughout the organization. Depending on the violation’s impact, leaders should consider the full range of actions, including termination of employment. Unenforced policy may have a damaging effect on the organization and could lead to repeated and more serious violations. For example, if an employee shares her login credentials with another employee, a leader should act immediately to correct this behavior.
6. Develop actionable policy and procedures
Security policy and procedures outline expectations and rules for acceptable conduct. For example, an effective countermeasure against business email compromise scams is to implement a policy that requires out of band verification for all money transfers. Establishing internal governance helps leaders demonstrate due care to protect the organization.
Security policy and procedures outline expectations and rules for acceptable conduct. For example, an effective countermeasure against business email compromise scams is to implement a policy that requires out of band verification for all money transfers. Establishing internal governance helps leaders demonstrate due care to protect the organization.
7. Impose a Clean Desk/Clear Screen policy
Employees should securely store information and lock their computer screen when they leave their work area to prevent information theft, compromise, and unauthorized access or viewing. For example, managers may perform end-of-day checks to ensure sensitive information is protected.
8. Destroy unneeded information and data
A fully implemented and enforced data retention policy lowers risk. Storing sensitive data that is not required to meet a specific business purpose expands the pool of data that may be compromised. For example, leaders should review sensitive data that has no current legal, regulatory, contractual, or internal business retention need for destruction.
9. Educate and train your team
An essential element of a security program is security awareness training. Employees are a critical line of defense against threats so it is important they understand the organization’s risk, how to respond, and who to notify. Leaders should tailor information to their specific threats. For example, phishing attempts to gain financial information may be more relevant for one group of employees than for others.
10. Lead by example
Leaders at all levels should set the example for employees to emulate. Business leaders should support security controls designed to protect the organization. If a leader rejects reasonable security controls or instructs employees to work around them, this behavior raises risk to the organization and establishes an environment of resistance.
Protecting the valuable information you control does not always require a substantial investment in new technology. Leaders should challenge their managers and information security team to fully implement foundational security controls as part of the organization’s security program. Investing in low cost, foundational controls will likely lower your risk, ensure a positive return on investment, and demonstrate value and due care to your stakeholders.
If you have additional low-cost methods for protecting your company data, share them in the comments below!
Related Categories
Fraud & Cyber SecurityJeffrey Julig
Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.
Let Us Know What You Thought about this Post.
Put your Comment Below.