The Importance of Security Strategy Can’t Be Overstated

Posted on by Robert Ackerman

Lots of things about cybersecurity are important, but none is as crucial as one specific parameter: security strategy. Everything flows from this. If this gets short shrift, anything and everything can collapse like a house of cards.

So let’s take a good look at this topic, starting with the likely cost of weak strategy. It opens the door to breaches, and the average cost of a data breach is now approaching $4 million, according to Ponemon Institute’s Cost of a Data Breach Report 2020. Meanwhile, nearly half of US companies have unfortunately suffered a breach, says the 2020 Thales Data Threat Report.

In addition to the cost, such as data loss and regulatory fines, organizations also suffer from tarnished reputations, erosion of customer trust and loss of business. It’s particularly painful for small and midsize companies, which frequently go out of business in the aftermath of a breach.

Cybersecurity isn’t inexpensive. So, predictably, the best cybersecurity strategy for a business depends largely on whether it is small, midsize or huge. So I’ll offer strategy tips for each category. Regardless of company size, however, a few steps across the board are critical from the get-go. One is to develop an understanding of those assets your company absolutely must protect. To accomplish this, a company needs to review its business processes and determine those that could undermine revenue if their data is stolen or suddenly becomes unavailable.

In addition, all companies have to determine their risk appetite—i.e., the risk they are prepared to accept in pursuit of business objectives. Risk appetites differ, depending on the industry in which the company competes, its financial strength and specific objectives being pursued. Last, small and midsize companies in particular need to assess the ability of their organization to get the necessary security work done. If you have IT/security teams, you need to get a handle on their bandwidth. If you don’t have the resources you need, you have to outsource some of your security work.

Once these considerations are addressed, several steps are appropriate for companies of all sizes. For starters, a company needs a cybersecurity sponsor—the owner, or a member of senior management—to make sure the entire organization really understands the cybersecurity strategy. It’s also imperative to limit the attack surface, which entails not only improving security but also testing its strength via regular penetration tests and overall security monitoring.

In addition, a workforce culture of security must be developed so that almost all employees are trained and know their specific roles. Last, an incident response plan must be developed, preparing employees for the day when something goes wrong—almost always a certainty eventually.

Now let’s drill down briefly on some specific strategy tips at companies of different sizes. Here are some category-specific steps for big, midsize and large companies, bearing in mind the bigger resources of big companies. (Some overlap nevertheless is inevitable.)

Big Companies:

+ Regularly download and install software updates and make backup copies of important business data and information. The update should be installed automatically. In the case of backup copies, the data of every computer should be backed up at least weekly.

+ Prevent access or use of business computers by unauthorized individuals. Because laptops are easy targets of theft, make sure they are stored and locked up when unattended.

+ Limit employee access to data and information, and require individual user accounts for each employee. Employees should only be given access to the specific data systems necessary to do their jobs and unable to install any software without permission. In addition, a separate account should be set up for each individual.

+ Weigh the possible purchase of cyber-insurance. This preventive measure protects you from potentially devastating consequences in the event your system is hacked. Cyber-liability coverage typically covers, among other things, claims by third parties, as well as first-party claims and legal fees.

Midsize Companies:

+ Create and enforce a patching schedule. Regularly downloading the latest patches dramatically reduces the likelihood of a breach. While some hacking groups favor particularly toxic zero-day attacks, which are tough to stop regardless, patches, as well as updates, at least prevent your organization from becoming an easy target.

+ Perform vulnerability testing. This validates the effectiveness of your patching schedule. A vulnerability scan can detect and classify systems’ weaknesses in computers and networks, and predict the effectiveness of countermeasures. Both authenticated and unauthenticated scans should be deployed, protecting against attacks by both employees and intruders.

+ Monitor the quality of passwords. Passwords attempt to protect against an enormous amount of data. Yet studies have shown that employees regularly reuse weak passwords. Businesses can leverage technologies that check passwords against known-bad and leaked password databases. Also very helpful is the addition of multi-factor authentication.

Small Companies:

+ Use firewalls, one of the first lines of basic cyber-defense. In addition to the standard external firewall, small businesses are increasingly starting to install internal firewalls for additional protection. Employees working from home also should install a firewall on their home network.

+ Create a plan for mobile devices. It has become essential that companies have a documented BYOD policy focused on security precautions—and one that also encompasses smart watches and fitness trackers.

+ Install anti-malware software. Too many employees open hacker phishing emails, sometimes repeatedly. Anti-malware software helps combat such infections, as well as other cyberthreats.

+ Regularly back up all data. The Small Business Administration recommends backing up word-processing documents, spreadsheets, databases, financial files and accounts receivable files. Check your backup regularly to make sure it works properly. And see that it’s stored in a separate location in case of fire or flood.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Security Strategy & Architecture

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs