With the festive season upon us, we’re here with a friendly reminder: Don’t let the cybersecurity Grinch ruin your Christmas fun! There’s never a good time for a data breach, but some times are certainly more inconvenient and disheartening than others.
The best thing you can do is take a proactive approach to your cybersecurity rather than a reactive one. This means ensuring you have the appropriate measures to protect your organization and those you work with.
In the spirit of the holidays, we’ve created our very own ’12 Days of Security Principles.’ It’s not as catchy as the ’12 Days of Christmas,’ we grant you that, but it may help keep the Grinch at bay and protect your business from a costly breach in the future.
On the first day of Christmas, SeekingFire told me:
Your security program must enable business objectives
If risk is one side of the coin, the other side is opportunity. Managing risks is the same thing as enabling a safer pursuit of opportunities.
Information security policy, controls, and activities should reflect and enable your organization’s objectives. When done best, they don’t oppose what the business is trying to achieve but instead open doors to business resiliency and growth.
On the second day of Christmas, SeekingFire told me:
Security must reflect asset value and risk
Security isn’t a goal in itself. We can use formal language like “cost-benefit analysis” or just remember that it doesn’t make sense to spend $1.10 to protect a $1.00 asset. Or, for that matter, to spend $1.00 to protect a $10.00 asset that the risk assessment says would only be at risk once every 20 years. This is why having a simple, consistently applied risk assessment strategy can be so powerful in making your security dollars go further and provide you with more business value.
On the third day of Christmas, SeekingFire told me:
Cybersecurity is everyone’s responsibility
Data security isn’t something that can be turned into an “IT function.” All users within your organization, and whether or not they have the training to avoid risky behaviours, are part of your defences. Physical facilities often have key defences in place; think security cameras for important areas. Why should it be any different for your organization’s data and its Intellectual Property?
Ultimately, how senior management chooses to balance risks to the enterprise in their long-term planning and nurture culture are critical to supporting a successful security program.
On the fourth day of Christmas, SeekingFire told me:
The design of information security standards and procedures should be reviewed often and adapted to react to business changes and unexpected events
Sadly, there’s no ‘one size fits all’ or a ‘we’ve completed it’ approach to data security. Instead, it’s something that needs constant tending. Therefore, as your business grows and evolves, the security program needs to evolve along with it.
Sometimes significant events, like a workforce that unexpectedly needs to work remotely for an extended period, can impact you. This is why the security program needs to be driven ‘top-down’ from the business strategy rather than ‘bottom-up’ from IT support personnel.
On the fifth day of Christmas, SeekingFire told me:
Security should follow the principles of ‘least privilege’ and ‘separation of duties’ with regard to performing security functions
This isn’t just about preventing fraud or disgruntled employees from causing damage. It helps prevent earnest and well-meaning people from making mistakes that could impact the business. For example, if you don’t need to be able to delete backups of critical servers, you shouldn’t have the access rights to do so.
On the sixth day of Christmas, SeekingFire told me:
Access to and transmission of data or resources should be secured, audited and monitored at a level consistent with its sensitivity as reflected by its data classification
Whenever I talk about data classification, the first misconception that I run into is that it’s for big governments — phrases like ‘top secret’ tend to give that impression. But really, the benefit of a simple classification scheme for your information — like what’s relatively unimportant, what’s important, and what’s critically sensitive — is that you can target your security spending appropriately. Don’t spend money on security controls on the 90% of your business that doesn’t need it, and don’t skimp on protecting the 10% that could make or break your business if you were breached or had a disaster that resulted in losing those systems and the information they contained. Data classification is a valuable strategic tool for a business to align its security spending with its critical business needs.
On the seventh day of Christmas, SeekingFire told me:
Any individual or service accessing sensitive data or resources, as defined by security policy and data classification, as well as legislative, regulatory and contractual requirements, should be positively identified
You can’t protect against what you don’t know about. After classifying your information on day six, you know where your most sensitive information that needs to be protected is. Now you need to figure out who and what needs to access it and ensure you have a firm understanding of why that access is needed. It’s sometimes surprising how much security is about making simple inventories and ensuring that reality matches expectations.
On the eighth day of Christmas, SeekingFire told me:
The decision to deploy security controls should be based on a solid understanding of your information security requirements, threat and risk assessment, and risk management
As mentioned, there’s no such thing as a security ‘silver bullet.’ With the sensitive information identified, the people and services that need to access it identified, then the next step is to identify the threats that might try to defeat your security controls and what vulnerabilities in your systems they might leverage to do so. Then you can make a risk-based decision on what the likelihood of that is and what the potential impact is if they’re successful, and decide whether or not your security controls are adequate for the job.
On the ninth day of Christmas, SeekingFire told me:
Security is only as strong as the weakest link
Similarly, the strength of the security controls in use should all be roughly the same — and as close to your level of risk appetite as possible. The goal isn’t to eliminate all risk; it’s to manage it to an acceptable level. Part of achieving that is ensuring that the bad actors can’t bypass your security measures by attacking an obvious weak point in your strategy.
On the tenth day of Christmas, SeekingFire told me:
Security requires a multi-layered defence strategy
The days of a firewall providing sufficient security, and creating a ‘trusted’ internal network, are long over. With attacks like phishing that trick users into compromising internal computers, a good security strategy needs to ensure that there are layers to the defences. Like layers of an onion instead of a brittle eggshell, an attacker breaching a defence shouldn’t immediately get access to everything in your business.
On the eleventh day of Christmas, SeekingFire told me:
Security should be centralized
In larger organizations, information security should be centralized to create efficiencies, decrease costs through the creation of economies of scale and scope, and to allow for the proper development of enterprise solutions and monitoring.
On the twelfth day of Christmas, SeekingFire told me:
Security will reduce costs and the implementation time for projects by utilizing a common set of core security technologies
If you are a larger organization, selecting and building a core set of security technologies (such as authentication, remote access, logging, etc.) can make deploying new technology services in a secure manner much faster and cheaper.
Sure, it takes time to build these pieces and processes out at first, but over time, they can provide a real benefit. So take these steps and keep that cybersecurity Grinch from your door!
At SeekingFire Consulting Inc., we’re proud to partner with a variety of organizations, institutions and businesses across Western Canada. As we look to 2023, we’re here to support folks who are looking to ensure they’re on a sound data security footing.
If you’re curious, we offer a complimentary consultation to all prospective clients, so there’s no risk in reaching out. If you’d like to chat, please get in touch. We’d be delighted to hear from you. However you celebrate, happy holidays from SeekingFire Consulting Inc.
While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.