10 Questions to Validate Your Security Strategy
By Jeremy Louise | December 3rd, 2018
There’s so much information out there about hacks, threats and cyber security in general that it can be natural to feel overwhelmed and fatigued. You understand that the consequences of leaving your business exposed are severe – but at the same time, you don’t know where to begin to address them. You may even have a security strategy, but you’re not sure how well it would stand up to the types of attacks that you’re likely to face.
Thankfully, this is a situation that seems far worse than it is. If you truly want to validate your security strategy and make sure that your organization is as protected as it can be, you only need to ask yourself ten basic questions.
1. Do you have an outline of all the regulatory compliance or client security requirements for your company?
There’s no “one size fits all” approach to security. Oftentimes, many of the decisions you’ll be making are dictated by the regulatory and compliance rules dictated by governing bodies in your specific industry. If you don’t know what rules exist for you and your clients, it’s difficult (if not impossible) to follow them.
We’re also seeing a large influx of our own clients being asked by the companies they do business with and for to verify their security postures. Some of our clients are showcasing their security processes in a way that allows them to act as a great marketing tool for prospective customers, making them more comfortable.
2. Do you have documentation for your IT operations, procedures and policies?
Everything that is documented can be repeatable. This is key, as if one of your IT team members leaves, they don’t take your business’ ability to secure itself with them. All IT operations, policies and procedures must be thoroughly documented and they must be updated on a regular basis. Documenting is a huge aspect of maintaining your compliance. Most of the controls in NIST have something to do with compliance.
3. Do you have an IRP?
IRP stands for “Incident Response Plan” and it’s an overview of how you’re going to respond to specific types of threats or incidents. Every type of incident needs its own unique response in a way that limits damages, mitigates risk and generates the fastest possible response from all involved. Note that this is different from your larger business continuity or disaster recovery plan.
This also includes a communication strategy and office relocation contingency as well. This should also be practiced like a fire drill to make sure any gaps are addressed.
4. Have you identified and segmented where all your most critical/sensitive information is?
If you know what your most sensitive data is and where it is located, you then know exactly what you must do to protect it. Not all data is created equally and certain elements of your enterprise will need more attention – and protection – than others.
This is why its so important to understand your RPO and RTOs. Some data can be archived whereas some needs to be readily available which is a requirement of many regulatory agencies.
5. Do you provide users with routine, regimented IT security training?
The number one cause of cyber security incidents in the modern era is human error. In an effort to fortify your business and make sure that you’re as protected as possible, you need to keep all employees up-to-date on all of the latest threats and cyber security best practices. This involves regimented IT security training for all parties that happens on a frequent basis.
This includes phishing simulation training, the review of your IRP processes and ensuring that users are routinely abiding by their handbook and WISP.
6. Do you feel confident about your IT strategy?
If you’ve taken a series of steps up to this point and still don’t feel confident, the chances are high that you’re not as protected as you think you are. Cybersecurity is one area where you can’t afford to “settle,” so it’s in the best interest of your business and your clients to be as proactive as possible.
7. Have you measured the potential impact of a breach or security incident in dollars?
Knowing how much you stand to lose in a data breach can help contextualize (and justify) the amount of money you’ll be spending on a proper cyber security plan. The average cost of a data breach is growing every year – don’t assume you know what your damages might be. Do the research in terms of the unique business you’re running.
If Company X is worth $10 million, how long can they afford to be offline if downtime costs an average of $5,600 per minute? Knowing this impact will help you craft an ideal defense, along with strategies like your RTO and RPO (see Question 8).
8. Do you have a company wide RTO and RPO expectation established?
RPO is an acronym that stands for “Recovery Point Objective.” This describes the amount of time that might pass during some type of disruption before the amount of data you lose during that time exceeds your business continuity plan’s maximum tolerance. RTO stands for “Recovery Time Objective” and describes the amount of time that can pass before your business processes must be restored to avoid unacceptable losses. Both of these are cornerstones of your business continuity and disaster recovery processes.
9. Do your vendors adhere to any degree of compliance themselves and do their supporting systems conflict with yours?
You are only as secure as your third party vendors are. If you’re working with vendors who do not adhere to any degree of compliance themselves, or who are using systems and processes that are in direct conflict with your own, they represent a potential vulnerability just waiting to be exploited. If your vendors aren’t on the same page as you in terms of cyber security, you need to find someone who is.
10. Can your IT service provider or IT leadership answer all of these questions?
If your own internal IT leadership, or if the IT service provider you’re working with, can’t answer all of these aforementioned questions your organization is not nearly as protected as you think it is.
- You’re likely vulnerable to threats you’re totally unaware of.
- You’re not totally sure of the consequences that you might suffer during and after a breach.
- You have no plan for how you’re going to get back up and running again quickly.
- Account lock outs
- All of these are significant issues that need to be addressed at all costs.
True cyber security requires an “all hands on deck” approach and every member of your organization needs to understand its importance. Validating your security strategy begins from the top and requires a buy-in from all key stakeholders. Without that, you’re essentially positioning your company FOR a breach when you should be doing the exact opposite.