When security is addressed by leadership, it usually means something bad happened or there is another round of boring, stale annual training on the horizon. Depending on the industry, information security tends to have various levels of value. If you are a pharmaceutical company, the proprietary formulas for drugs would value infosec much more than a small business that sells keychains at the local flea market. That is where larger companies, where data and information is their key revenue generator, see infosec as a necessary cost of doing business. Small businesses tend to see it as a cost center as most believe that the cost of properly reducing the risk of a data breach bites too much into their profits to stay afloat. Whether you are a sole proprietorship or a Fortune 500 company, infosec is a business investment that should not be optional. I will break down a unique way of thinking about improving the infosec culture within your business. A shift in perspective can shape the difference between knowing how to keep your business thriving even after a data breach or closing your doors due to not being prepared with a sound information security strategy. So, let’s dig into the key factors identified by General Sun Tzu:
If you know yourself and know your enemy, you do not need fear the result of a hundred battles.
Know Yourself
Understanding your strengths and weaknesses can give you a significant edge in creating the roadmap to making your business thrive. Focusing on your strengths and outsourcing your weaknesses just makes sense. With regards to Infosec, this is a broad spectrum that reaches across your organization. We breakdown the disciplines of infosec as follows:
- Physical Security- Lights, locks, and guards
- Personnel Security- staff training, policies, and procedures
- Technical/Cyber Security- hardware, software, connectivity, and digital presence
Having an accurate picture of your risks in these disciplines will allow you to allocate resources effectively. If you have not given thought to all three aspects of infosec in your business, you should start. In some cases, businesses may lean more heavily on personnel security (staff training) and cybersecurity and not as much on physical security. This way you can dedicate any budget you have available to put toward your key risk areas. What are your key risk areas? This is where we look at the current threats to data.
Know Your Enemy
The digital landscape continues to evolve and so does the tactics and tools bad actors use. There are some very brilliant minds that have a keen understanding of technical architecture and ways to break it. In most cases, they can count on companies to have basic holes in their security. Just like water, they will use a path of least resistance. They will first try to exploit known vulnerabilities such as your employees through social engineering tactics such as phishing. They will also have a list of known software application vulnerabilities they will try to exploit since some organizations do not have the resources to give sufficient attention to cybersecurity functions. As businesses endure cyber-attacks every 39 seconds on average, it is only a matter of time before a breach happens to you. The statement of “not if, but when” is not to scare businesses into funneling money into a product or service, it is a stark fact. By the nature of hackers spending all their time and resources into what they do, businesses are allocating a dismal number of resources in comparison.
What is the Solution?
If you have a good understanding of the security gaps of your entire business environment, from your online presence, physical footprint, and staff awareness, you can focus your resources in a more strategic and efficient manner. This is where a trusted third-party service provider can be an investment that will pay dividends. When you have a team that can see the big picture and address your gaps, you can significantly reduce your risk exposure. There will be risks you cannot avoid and that is where building a sound incident response plan can mitigate the impact when these vulnerabilities are exploited.
Appropriate and immediate action steps can control the bleeding to minimize impact to your daily business activities. Backup systems such as paper documents can allow you to still serve customers in parallel to your systems being down to remediate the effects of the attack. Combining this with educating yourself and your entire staff on the current threats to your industry will give you sufficient security situational awareness not only making your business a hard target for bad actors, but also improve the security culture of your staff that can take this knowledge and use it in their personal lives.
Security does not stop when you clock out and go home. If you are tired of seeing new reports of data breaches in your industry as I am, leadership should start infosec conversations with their staff at all levels. Remember, security awareness is the first line of defense!