“Cyber attacks are one of the unfortunate realities of doing business today.” That’s what Zynga wrote on its support page after it fell victim to a data breach last September.
Unfortunately, Zynga’s right. That particular attack exposed personal information linked to more than 218 million Words With Friends player accounts, but it’s hardly unique.
Companies big and small in every industry are being targeted by cybercriminals on a daily basis. Sometimes, data gets stolen, but sometimes it doesn’t. Sometimes, a data breach is not detected until it occurs.
Almost inevitably, your company will become a target, but you can control the extent to which your company is at risk.
Company security is a shared responsibility that should be a part of every employee’s job description. Your company’s overall security posture — the security state of your entire IT stack — is a product of many factors. It is heavily dependent on the knowledge and readiness of everyone in your organization.
To assess your security posture, you need an accurate assessment of the various processes and security that you have in place. These include technical layers such as external vulnerability scans, encryption, and network security tools. This also includes your employee training programs.
Evaluating these components in the context of hazards is important to understand where and how you are vulnerable. If you don’t know where to start, take these three steps to lay the groundwork for a strong security posture.
1. Set security ownership.
Cyber security is everyone’s responsibility, but it is not every employee’s primary task. Increasingly, security is being aligned with the company’s strategy, making it the domain of the C-suite. In fact, the most resilient companies in the digital world are making security an executive-level priority. When responsibility starts at the top, it’s easy to create an organization ready to share.
Kayne McGladrey, director of security at design and construction firm Penser Development, believes company culture is one of the most important aspects of your security posture. He recommends creating a resilient culture by fostering “healthy skepticism” among employees.
Don’t make it mandatory for employees to attend a one-time event only. Teach your team about security threats in the real world by demonstrating them. Leave a USB stick in the kitchen, or put a fake phishing email in an employee’s inbox. Then, show employees how to react to actual attacks in the future. The point is not to embarrass or punish employees, but to prepare them for the inevitable.
2. Clarify your platform capabilities.
In the past, many companies relied on software-as-a-service (SaaS) to store, manage, and analyze customer and employee data. Third-party firms providing the software will take responsibility for keeping it secure.
Today, an increasing number of companies are increasingly demanding customized software packages. This has given rise to the Platform-as-a-Service (PaaS) industry. But there is a risk associated with the versatility that PaaS offers.
“It’s important to remember that PaaS is exceptionally flexible and because you can do anything with PaaS, people will do anything and everything,” says Pete Thurston, chief product and solutions officer at Revacult, which leads Salesforce. Is a security and governance partner for enterprise companies using . ,
For example, the ability to build custom applications within Salesforce can be a major boon for enterprise companies. But it can also come with new challenges.
Therefore PaaS systems and applications need to be given the same security considerations as your SQL databases, in-house servers and off-site data storage. The applications you build within PaaS may not directly change your strategic position, but they are complex, mature systems that require discretion and planning to manage.
3. Include partners and subsidiaries.
Your security currency will affect all subsidiaries and third-party firms brought in through mergers and acquisitions. Before taking major M&A decisions, buyers should conduct cyber due diligence. This will ensure that they understand how the information architecture of a target company will affect the overall security status of the newly merged organization.
Joshua Foltz is a technology executive and chief information security officer at Exient, a backup and disaster recovery provider. They believe that the relative strength or weakness of a company’s security culture should be reflected in its valuation.
“Acquisition companies need to understand that they have inherited security risks during the acquisition,” he noted. Even if you get a discounted price on an acquisition, that risk — if not mitigated immediately — could eventually cost you more than you’re willing to pay. Don’t ignore it.