[BreachExchange] Does your business have a security policy?

Thu Oct 27 20:14:41 EDT 2016

http://www.rgj.com/story/money/business/2016/10/27/does-your-business-have-
security-policy/92794748/

I recently gave a talk on digital security to a group wanting to know more
about protecting their business from internet security threats. What struck
me was how few businesses in the room had a formal security policy in
place, and how few of those have reviewed their security policy since they
created it.

In today’s fast-paced digital world, it is important to not only have a
security policy and plan for your business, it is essential that you review
it regularly. As the changes in our digital world dictate different ways of
producing and storing data, criminal elements will adjust how they attempt
to gain access to our data. As such, we must adjust how we protect our data
from compromise. Further we must have an up-to-date plan in place for what
we will do in the event we have a compromise in our environment.

When, not if

The message I try to get across to businesses when I talk to them is “When,
not If.” Security in the digital age faces the same challenges that
security has always faced. It is a game of cat and mouse. We put measures
in place to protect our businesses, and criminals constantly seek new ways
to circumvent our security. The reality is that the best digital security
in the world is not perfect. It may miss something at some point, and we
must be prepared if that happens.

Having a formal security policy in place, with regular reviews and updates
regarding its content, will increase your ability to recover if and when a
security breach happens. During a breach, anxiety levels rise and people
can make rash decisions under duress. We will spin our wheels trying to
figure out what to do while potentially damaging activity continues in the
environment. With a formal policy and plan, you have a step-by-step guide
on how to handle the situation, which will speed the remediation and
recovery process and get your business back up and running with the
shortest amount of downtime possible. You will know who how to prevent the
spread of an infection in your environment, who to call for assistance, how
to alert the proper authorities, and whether or not you will need to notify
clients.

Build awareness

Once you have a policy, building awareness within your organization is
critical. Make the policy visible and make sure your staff is aware that
you have a policy. Build additional awareness by keeping your employees
informed about the latest security trends and methods of attack. This will
help them spot potential attacks before they become a security breach.
Making digital security a part of your company culture can mean the
difference between an annoyance and a disaster. Get creative with how you
bring up the topic at meetings. Find ways to incentivize people for
demonstrable good security behavior and make it visible to the entire
organization.

Test your security platforms

Finally, test your security policy and practices. Engage with partners that
can help test and point out flaws in your network security platforms. You
will then be in a position to address and correct potential issues before
they are exploited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161027/6ea1448e/attachment.html>