In our last post, we discussed the importance of viewing cyber security as more than just a technical problem your IT people need to address. Instead, we outlined the three major security pillars Daystar views as fundamental to an effective cyber security strategy. These pillars – technology, process, and policy – depend on the active participation and alignment of both your business IT and operations executives.
Now that we’ve explored what comprises a business’ cyber security strategy, let’s take a closer look at implementation. While executing and honing these pillars is certainly a process – and not one that should be rushed – there are ways business and IT can work together to collectively manage security technology, process, and policy.
Buy in
One of the primary points in Part I was that managing security is no longer about firewalls and anti-virus. It is, instead, largely about policy and process – mitigating threats must be a holistic endeavor, from putting the correct technology in place to enacting the proper processes and codifying them in company-wide policy. This will inevitably require time, patience, and revisions. Without your full support, an IT partner can truly only administer the technology pillar, as the other two pillars are firmly grounded in your business, your workflow, and your staff.
Another important piece of ‘buying in’ is making sure the right resources are involved on your end. Engage your managers and those knowledgeable in operations and departmental workflow to outline your own ‘best practice’ when it comes to things like:
- Data retention (according to your industry and compliance)
- Physical and logical access to network resources
- Bring your own device (BYOD)/mobile device management (MDM)
- Line of business software access
We work with our clients to see how their expectations and goals dovetail with the technology at hand to design solutions that work for them. Be sure that you do the same. Get the right people, from the technical and business sides, around the table to provide input and develop a plan that works for your business.
Create a WISP
Creating a written information security policy (WISP) is a great first step in getting this very, very important ball rolling. A WISP provides a jumping off point for identifying weak links in all three pillars, as it helps to outline the structure of the pillars themselves (“Wait, we aren’t enforcing any password policies for our entire staff?!”).
Although the initial workload for creating a WISP is substantial for both, know that the initial build-out is always the most time consuming, and everything subsequent to that is crypto-gravy.
Be patient and accept process changes
Here’s the honest truth: heightened technical security controls, purposefully designed and constructed internal processes, and sharply enforced IT policies will initially make things more challenging for your users. There will be a learning curve. There are some sysadmins and security professionals out there who would argue the opposite, and while they might be right for their specific platform or environment, they’re also very much the minority. For most small to medium sized business with limited resources, industry-standard security implementations force an additional layer of administrative overheard on your users.
For example:
- 2-factor authentication requires an extra step when logging into platforms much of the time
- Password expiration forces staff to take a few moments to update passwords on a regular basis
- Asking that staff go to a manager to facilitate the deletion of data is a couple of additional minutes out of everyone’s week
- Using a VPN to connect to network resources when out of the office requires additional software and knowledge
However, this added inconvenience is exactly what is contributing to the overall security of your network and your data. Let’s purposefully flip the table, and view the added time dedicated to security as a measure of success, rather than an inefficiency to be lamented.
Lifelong learning
With a fluid threat landscape and dynamic attack vectors, security is a vast and evolving industry, which is exactly the reason so many enterprise-level companies dedicate the internal resources to it that they do. Keeping up requires you to stay educated and to regularly be putting your network and policies to the test.
While this might sound technical and time consuming, it doesn’t have to be. Daystar utilizes an ongoing employee testing and education platform to monitor the risk associated with your staff’s knowledge, and provide the necessary training as the need arises, particularly stressing the importance of defending against business e-mail compromises (phishing, spoofing, ransomware). This is also why we recommend regular internal and external penetration testing, particularly if your industry’s compliance requirements demand it. These ongoing platforms help to ensure that the pillars of security remain as strong as possible in the face of a challenging and demanding field.
Successfully implementing an effective cyber security strategy takes time, effort, and participation. However, the alternative is unacceptable in today’s business climate. Gather the right people, develop a security plan, support your team through changes, and provide ongoing training and verification. It won’t happen overnight; take it one step at a time and soon you’ll be well on your way to improving your business data and IT security.
Learn more about Daystar’s cyber security services!
