What is Enterprise Security?
Is Your Enterprise Secure?
What are some of the practices that help develop security of data
Regardless of an organization’s security measures, nothing is perfect. What I mean is, there will always be a risk. On the other hand, there is equally no excuse for not implementing fundamental security best practices. All organizations, regardless of size, must plan for inevitable attacks, loss of access to systems, or loss of critical data. By recognizing risks, planning ahead and instilling a culture of security and privacy in the entire organization, losses and their impact can be minimized.
As in previous years, Online Trust Alliance (OTA )analyzed reported breaches through Q3 2017 and found that 93% were avoidable. This is consistent with the previous years’ results. The report also showed that while 52% were the result of actual hacks, 11% were due to lack of internal controls and resulted in employees’ accidental or malicious actions.
As we have conversations with prospects and clients at SecureFLO, we realize the absolute need to understand their current state. Current state for us is a short assessment that allows us to understand IT operations, governance, regulations, vendors and contracts, projects and any incidents that may have occurred in the recent past. This quick analysis allows us to then recognize, based on our experience, where an organization needs to focus on its journey to reduce and/or manage risk
To many organizations, security is about managing the network and preventing attacks. In the age of free data flow, contract workforce, remote employees, cloud services, open source code, large outsourced business processes, etc., you have to ask if the perimeter is your biggest risk? I would argue that the risk is posed by mobile devices used to access data or where you store this data or how you patch the application holding the data, etc. The question is how do you define Security? Is there an absolute security process or technology for your enterprise? Can any organization say with confidence that they cannot be breached or have a cyber event? Is that a reality or a fallacy? My perspective is that security is a process or a journey. Risk management is the real key to security and that starts with a roadmap and good governance. So the process of continuous compliance makes sense with the changing landscape of your business use cases or data lifecycle.
In order for us to think about solutions and practices to risk, let’s discuss the cyber hygiene practiced by an organization. What is cyber hygiene? Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. Even though more and more of our work is in the cloud and on the internet with connected devices, hygiene needs to include IT security operations across the landscape and not just in the context of cyber related actions.
As we look across an enterprise and business in various verticals, the overall security issues seem insurmountable. There is too much news about hacks and cyber attacks and breaches and data loss. Does that make you feel less secure within your organization? Does that lead you to action or complacency? I would argue that it has led to complacency and inaction. We achieve action by getting back to basics and taking small steps
These could be considered best practices for enterprise security, no matter the compliance regulation or standard you follow :
- Good governance
- Ongoing risk assessments
- Documented controls for all risks identified
- Risk categorization of vendors providing solutions and services
- Training and awareness for employees/contractors/vendors
- Technology Operational best practices
- Secure Access
- Threat Analytics (Network & Desktop)
- Business Continuity
- Incident Response
- Cyber Insurance
- Innovation in Technology
Do the above actions really make an enterprise secure? Based on our experience, we can say with a high degree of certainty you are moving in the right direction of being more secure. There is no absolute security for an enterprise, as we discussed earlier. As an organization, you are as strong in security as your weakest link. Your weakest link in the current data seems to be coming from people and practices. Training and awareness of an employee/ contractor/ vendor is critical in the data rich environment of your enterprise.
So after all this, I want to come back to the question of are you more secure as an enterprise today? We have the knowledge, expertise, and tools to achieve a more secure enterprise for you. A risk based approach to enterprise security and privacy should be your focus. Security is a team sport. With this in mind, have your employees/contractors/vendors/partners participate in this goal for your organization.