Stop reacting ! Start anticipating !
Cyber security is an important concern for every organization and the potential losses can be considerable.
Daily occurrences demonstrate the risk posed by cyber attackers. The management of any organization faces the task of ensuring that it understands the risks and sets the right priorities. This is no easy task and focusing on technology alone to address these issues is not enough.
When they think of cyber security, many people automatically think of the business’s cyber security service slaving away in hoodies in front of their laptops, processing code, scanning for viruses, and putting up firewalls.
While this is part of the job, the cyber security function alone will not be sufficient to guard against today’s threats. The “people” factor is often ignored, yet it is a critical element in building a strong cyber resilience. You can significantly invest on building strong Public Key Infrastructure services or fire walls, but if you don’t monitor the development of potential threats against your business realistically, or the risks that emanate from your own people and partners, all your efforts will be in vain.
Achieving absolute security is absolutely impossible
To believe or make believe that absolute protection against cybercrime is possible is neither an achievable nor an appropriate goal. At best, you will not create the conditions to maintain a sufficient level of vigilance on the part of your staff and in the worst case, you will create unbearable pressure on your teams.
Any device connected to the internet, any piece of the “internet of things” can potentially be hacked. Hackers keep developing new methods and more and more sophisticated technologies and defense is always one step behind. A good defensive posture is based on a realistic understanding of the threat (i.e., the criminal) in relation to your organization’s vulnerability (anticipation). You need to have the best process in place to detect an impending or actual breach (detection) and be able to immediately address incidents (reacting) if you want to minimize losses.
Don't just rely on technology
Technologies are essential for basic security, and must be integrated into the technology architecture, but effective cyber security is less dependent on technology than you think. Computers do not create crimes. It is “real people” using computers who commit them. And your staff members can be, and often are, knowingly or unknowingly complicit. So, the knowledge and awareness of the end user is equally critical.
Most of the time, a change of culture is essential. Employees should be made aware of the risks they run and should take the initiative in informing their supervisors of their worries.
Keep track of your suppliers' practices
You should expect sustainability practices from your outsourcing provider and require appropriate employee experience. One of the most important statistics to consider is the employee’s turnover. Indeed, the impact of a high turnover has an indirect cost on the IT organization, but it also increases your exposure to the risks associated with dissatisfied outsourced staff.
You should expect outsourcing providers to bring a sustainability capability that will not diminish your buyer’s reputation and vulnerability. When you look at the outsourcer’s sustainability profile you must balance costs and benefits with the impact to your brand. In other words, if you only seek lower operating costs through outsourcing, you are likely to have some nasty surprises at the end of the day.
Take a smart risk approach to outsourcing and offshoring
The risk of security breaches or intellectual property thefts is inherently raised when working in international business. Privacy concerns must be completely addressed. These issues are too rarely addressed while requirements should be documented and methods and integration with suppliers should be defined.
The Patriot Act obliges American investment banks and consulting firms, collectors of strategic information, to make all their data available to the American federal government.
You would be wise to choose French or European partners who are closer to you and more concerned about your long-term interests.
Have a plan and other plans for when your plan fails
Procrastination is inherent in human nature, especially when you aren’t quite sure of the right way to approach an issue. But you need to anticipate your response before a security breach occurs. Unfortunately, all too often the opposite happens.
No matter how many levels of protection you put in place, there’s always that blind spot where you just couldn’t anticipate an attack. Once your system has been compromised, you need to have response and recovery plans in place.
Having an IR plan in place is a critical part of a successful security program. Its purpose is to establish and test clear measures that an organization could and likely should take to reduce the impact of a breach from external and internal threats.
If the people responsible for shutting down a crucial system during an attack are waiting for a phone call or email from you to execute their duty, what happens when the attack disables both of those avenues? You need multiple layers of response, and those responses need to be worked out ahead of time in simulations or drills.
The real challenge is to make cyber and information security a mainstream approach. Even with very high castle walls and a sense that you have done everything you think you should do with cyber security, you probably still are vulnerable. This means that cyber security should become part of your HR policy. It also means that cyber and information security should have a central place when developing new IT systems. Last but not least, you need to know what is happening both outside and inside your organization. It is people who create the greatest vulnerabilities, just as they are the most valuable part of the solution.
Here’s the good news. If you’re looking for an independant partner, Stroople provides customized solutions to design and build your technology dream team. You can choose the best solution that suits you. We provide tech talents pros whether you need to hire or outsource your cybersecurity team.