Q: To get the most bang for your buck (and efforts), what two to three things can you do that positively affect the cybersecurity posture of most organizations?
This question comes to us from Mat Kordell, chief technology officer of The Altus Group, a provider of software, data and technology-enabled services to the commercial real estate industry. In today’s world where security resources and expertise are limited, it’s no wonder this is one of the most common questions he hears from customers.
The increase in cybersecurity attacks over the past several years has prompted organizations of all sizes, from small, mom-and-pop shops to massive, global enterprises, to take a deeper look at the current cybersecurity protections they have in place and ramp up their tool kits where needed. Here are my top three tips to level-up your security posture and get the best return on your investment.
Forget the 'Weakest Link' — Train Your Team
An organization is only as strong as its weakest link. Often, employees are left to take the blame when it comes to cybersecurity threats. However, it’s imperative that companies take a good look in the mirror to see how they are educating their employees on the proper tactics and skills needed to avoid potential threats to their organization. Much like how a child shouldn’t be punished for disobeying rules of which they're unaware, your employees shouldn't be punished, either. Data breaches are in the news every day, which has pushed the topic to the mainstream, but it is unfair to assume that every employee is up-to-date on best practices.
For example, phishing scams remain a tried-and-true tactic for malicious actors because they prey on human nature. Whether it’s just from curiosity or a perfectly tailored scam, eventually someone will fall prey to a phishing attempt. To combat this, organizations must empower their employees with continuous cybersecurity training to stay up to date on the latest threats and trends. At the end of the day, it’s up to companies to keep themselves protected.
A recent survey of small- to medium-sized businesses (SMBs) found that businesses are taking cybersecurity seriously, with nearly 100 percent of respondents conducting employee cybersecurity training in some form. However, despite these efforts, the report also notes that roughly 79 percent say they aren’t completely ready to manage IT security and protect against threats.
The survey also found that only 39 percent continuously train employees on best practices, and 36 percent only train employees once, either during onboarding or after a security breach takes place. To truly get the most bang for your buck with security training, employees need ongoing training throughout their tenure to feel educated and empowered, and ultimately to keep your organization’s digital assets secure.
Security: It’s a Culture Thing
Create a culture of security within your organization. That's another one of the best ways to get the most bang for your buck in security and it's a move that should be done in tandem with any formal security-awareness training you may have in place. No matter the size of your business, any unexpecting employee can fall victim to a phishing email, from investigating a deal that was too good to be true to simple curiosity. By creating broad awareness of the dangers of today’s new threats, instilling the concept that security belongs to everyone at the company, and providing education on safety tips and best practices, organizations can avoid a lot of potential damage.
For example, during onboarding, cybersecurity training should be mandatory for all new employees to give them a better understanding of the threats their new company faces and how best they can help to keep the ship above water.
Down the line, their security education should continue with ongoing security-awareness training, updates, blogs and even lunch-and-learns. Organizations should make it a point to share ongoing tips and tricks to help employees maintain their best practices. It’s also effective to have small contests, such as where a fake phishing email garners a prize for the employee that forwards it to their IT department. These small tokens keep employees on their toes and knowledgeable at the same time.
Skip the Discount Solutions
One size doesn't fit all. Naturally, everyone is looking for the best deal while shopping for cybersecurity products. However, it’s important to remember that shopping for cybersecurity can be similar to shopping for clothes – one size doesn’t always fit all. Unlike holiday shopping, that coupon-clipping, discount-hunting mindset won’t always lead to success.
As a CISO I have learned the hard way that simply shopping for the lowest price doesn't fit the needs of my organization or my security program. In looking for solutions to add to my security stack, it's important not to be distracted by the newest, shiniest thing. Instead, as the CISO, do your homework to ensure you understand the business operations and strategic goals of your company.
Once you've aligned your security program to support the business and completed business impact assessments, you will have a list of security controls and initiatives that need to be remediated. This list of initiatives is a foundation the CISO uses as a road map to review current security technologies and identify new ones that can upgrade an immature security control.
Have the problems you are trying to resolve in mind when shopping for technologies. That way you choose solutions that integrate smoothly into your current security platform, ones that solve several issues that need to be addressed and ones that share data with your current security solutions. That sharing enables a clearer view of anomalous incidents that need to be investigated.
When looking at new technologies it isn’t about the cost, it's about how well it integrates into your platform and the data it provides, so ultimately you (as a CISO or other decision maker) can make informed decisions to protect your company and its operations.
*Bonus tip: Hire a CISO. To be successful in preventing data breaches and thwarting potential threats, it's crucial that organizations have the right people in place with the appropriate expertise to make the decisions as to which products and practices will best suit their needs. This is where appointing a skilled CISO, a chief information security officer, or CSO, a chief security officer, comes into play. Their knowledge of the current threat landscape is integral to understanding what solutions and tactics are best suited to keep the company safe and avoid a major security incident. As a CISO myself, I might be biased, but it’s vital to have someone at the helm of your company’s security efforts to make sure you truly get the most bang for your buck.
Gary Hayslip is responsible for the development and implementation of all information security strategies, including Webroot’s security standards, procedures and internal controls. As CISO, he also contributes to product strategy to guide the efficacy of Webroot's security portfolio. He previously was CISO of the city of San Diego and held infosec roles with the U.S. Navy and the federal government. Follow Hayslip on Twitter @ghayslip or on LinkedIn.