“Cyber attacks are one of the unfortunate realities of doing business today.” That’s what Zynga wrote on its support page after suffering a data breach this past September.
Unfortunately, Zynga’s right. That particular attack exposed personal information associated with more than 218 million Words With Friends player accounts, but it’s hardly unique.
Companies large and small — in every industry — are being targeted by cybercriminals on a daily basis. Sometimes, data is stolen, but sometimes, it’s not. Sometimes, a data breach isn’t discovered until long after it occurred.
Almost inevitably, your company will become a target, but you can control the extent to which your company is at risk.
Circling the Wagons
Company security is a shared responsibility that should be a part of every employee’s job description. Your company’s overall security posture — the security status of your entire IT stack — is a product of many factors. It’s heavily dependent on the knowledge and readiness of every individual in your organization.
To gauge your security posture, you need an accurate assessment of the various processes and defenses you have in place. These include technical layers like external vulnerability scans, encryption, and network security tools. It also includes your employee training programs.
Evaluating these components in the context of threats is critical to understanding where and how you’re vulnerable. If you don’t know where to start, take these three steps to lay the groundwork for a robust security posture.
1. Determine security ownership.
Cybersecurity is everyone’s responsibility, but it’s not every employee’s primary function. Increasingly, security is being intertwined with company strategy, making it the domain of the C-suite. Indeed, the companies most resilient in the digital world are the ones making security an executive-level priority. When responsibility starts at the top, it’s easier to create an organization willing to share it.
Kayne McGladrey, director of security at design and manufacturing firm Pensar Development, believes company culture is one of the most important aspects of your security posture. He recommends creating a resilient culture by fostering “healthy suspicion” among employees.
Don’t simply mandate employee attendance at a one-time program. Teach your team about security threats by demonstrating them in the real world. Leave a USB stick in the kitchen, or slip a fake phishing email in an employee inbox. Then, show employees how to react to real attacks in the future. The point isn’t to shame or punish employees, but to prepare them for the inevitable.
2. Clarify your platform capabilities.
In the past, many companies relied on software-as-a-service (SaaS) to store, manage, and analyze customer and employee data. The third-party firms providing the software would bear responsibility for keeping it secure. Today, a growing number of companies are demanding increasingly customized software packages. This has given rise to the platform-as-a-service (PaaS) industry. But there’s a risk associated with the versatility that PaaS provides.
“It’s important to remember that PaaS is exceptionally flexible and that because you can do anything with PaaS, people will do anything and everything,” says Pete Thurston, chief product and solutions officer for RevCult, a security and governance partner for enterprise companies using Salesforce.
The ability to build custom applications within Salesforce, for example, can be a major boon to enterprise companies. But it can also come with new challenges. That’s why PaaS systems and applications need to be given the same security considerations as your SQL databases, in-house servers, and off-site data storage. The applications you create within PaaS may not directly change your strategic posture, but they’re complex, mature systems that require prescience and planning to manage.
3. Involve partners and subsidiaries.
Your security posture will impact all subsidiary companies and third-party firms brought into the fold through mergers and acquisitions. Prior to making major M&A decisions, buyers should conduct cyber due diligence. This will ensure they understand how a target company’s information architecture will affect the newly merged organization’s overall security posture.
Joshua Foltz is a technical executive and chief information security officer at Axcient, a backup and disaster recovery provider. He believes that the relative strength or weakness of a company’s security culture should be reflected in its valuation. “Acquiring companies need to understand that they are inheriting the security risk during the acquisition,” he notes. Even if you get a discounted price at acquisition, that risk — if not mitigated promptly — could eventually cost you more than you want to pay. Don’t overlook it.
You should also validate the security practices of all third-party vendors and partners. A vulnerability in a vendor database could expose your employees and customers, which means your overall security posture is only as strong as your most vulnerable partner.
Developing an adequate security posture should be a companywide objective. All team members must understand how to maintain it and why they should. Start with the steps above to avoid becoming a cybercrime statistic.