Did the Heartbleed virus give you a heartache and headache all at the same time? The last 12 months of headlines are not just a rough patch for organizations regarding cybercrime. They are a sign of escalating threats and new tactics deployed by cybercriminals.
“Cyber security“ as a ranked risk moved last year to the top 3 risk factors faced by businesses on the Lloyds of London Risk Index. If cybersecurity were an Olympic athlete, that’s the equivalent of taking home the bronze medal when you were a lonely and forgotten 12th place finisher only 2 years ago.
The first question executives typically ask me, “How much security is enough security?” The answer is a complex one and should be individualized to your organization’s risk tolerance. Consumers and business professionals alike should focus on the fact that internet security will always be changing. Every new technology that we adopt becomes tomorrow’s attack surface for cyber criminals.
Combating internet threats requires a comprehensive approach. Start with these three steps:
Not all digital assets are of equal importance! The first place you have to begin is to answer the question, “What digital assets that we create and own are worth protecting?”
You need a neighborhood watch program! Understand your vendors’ security measures, actively share information within your peer group about cybercrime, and proactively develop relationships with law enforcement.
People, process and technology are key. Tools, processes and employee awareness must also be fine-tuned in order to safeguard your organization.
Based on my time in the banking industry, the White House and serving our clients, I have some ideas on how to change the conversation, save you time and money, all while improving your security posture. We have to change the security conversation to this:
We will be hacked, and when that time comes, we will be ready.
Instead of a pure tool focus, the emerging best practice for improving your threat posture is a focus on best practices:
- Golden rule: security & privacy first
- Security = revenue
- WD40 your technology supply chain
- You will be breached eventually, rapid response and recovery is key
We can point to plenty of examples where security was built after the system was designed. When you do that, it feels as if a car sales person handed you a bag of balloons and duct tape and said, “This is your car’s air bag, be safe!” Security and customer privacy must be your golden rule before you build one framework. Security should be and can be a revenue generator.
How does that happen? By forming a security practice in your company with a framework to formulate ideas and foster innovation.
I have seen security actually transform the customer experience and I will share some real problems and real solutions with you when we meet at the Secure360 Conference in May. Some of the best and brightest security teams do not realize they have rusty leaks in their supply chain. WD40, or the way to prevent and remove rust, requires an upfit and update of your vendor management program.
All companies need to practice a digital disaster at least once a year. Name your worst digital nightmare and create a scenario based exercise to test out your rapid response and recovery plan. Make it realistic, time yourself, and grade your performance during the exercise. Be brutally honest with yourself about what is missing in your rapid response plan and work on improving your grade.
Want to learn more about these 3 steps + 4 best practices? Join me at Secure360 this May!