Is Your Culture Threat Aware?
In some of our earlier blog posts, we’ve looked at security in terms of GDPR (General Data Protection Regulation), and we’ve also looked at it from a software security perspective and highlighted the OWASP top ten security vulnerabilities that can make their way into poorly designed software applications.
Cybersecurity is a challenge not just for technically minded professionals, but also for the leadership in many businesses.
In this blog post, we continue with the security theme and look at some of the most common cyber security mistakes from a managerial perspective. We also look at what leadership teams can do to ensure that sufficient resources are available to the business and how a culture can be created that fosters an environment where everyone is aware of his or her responsibilities when it comes to ensuring security risks are kept to a minimum.
Who is attacking you?
Understanding who is attacking (or potentially attacking) your business is one of the first things to think about and can fall into roughly 4 categories:
- Individual hacker
- Organized Crime
- Foreign Governments
We don’t need to go into the details of each of these, that said, each will have their own motivations such as demonstrating technical prowess, raising awareness of an issue, financial theft or stealing political secrets, for example.
100% security isn’t achievable in any computer system or network - but you can get pretty close. Click To Tweet
“We need 100% security rolled out across the board”
100% security isn’t achievable in any computer system or network. An airline firm will publicly report that flight safety is paramount but at the same time, will recognize there is a risk to flying. The same rationale applies to cyber security. Large, well known and prestigious firms can, unfortunately, experience information theft through human error or disgruntled employees.
A more balanced approach is to accept this and to develop policies that allow you to position several lines of defense in the event of a security breach. Quite often, hacking doesn’t take place in front of a terminal, it can be as innocuous as a phone call (or social engineering) where employees unwittingly disclose what they think are harmless details. Technology can’t help with that, which brings us onto our next point.
“We bought the best security tools on the market”
Firms around the world offer products and services that allow businesses to identify potential intruders. While tools like these are essential for basic first lines of defense, you don’t need to break the bank when deploying such tools. As we touched on earlier, the human element can often be the weakest link in your security strategy.
Regardless of your investment in security tooling, its only as effective as the professionals using it. Management or those in leadership positions can help by educating teams, raising awareness of security threats and by changing the culture to ensure that employees are more likely to be “threat aware” and proactive in potential security breach situations.
“Our security tools must be better than the hackers”
There is almost an infinite number of scenarios that can take place when it comes to security breaches. Ultimately, the fight against cybercrime is an arms race!
As attackers figure out security vulnerabilities in operating systems or the software applications that run on them, providers of security software generally must release patches or system updates to close these security flaws.
One approach managers can take is to perform an audit and risk assessment of all assets under their control. Assess what the implication of loss of data and/or systems would have to the core business, either internally or externally then adapt any security policies around this. Would your brand be affected? Cashflow? Or would IP be lost, or even worse, made public?
By placing the emphasis on your businesses goals as opposed to potential hackers, management teams free themselves from playing “security tool catch-up”.
“If we monitor everything, we’ll be fine”
Yes, part of your cyber security strategy should involve monitoring incoming and outgoing data. Just as important for your business, however, is having the ability to learn and adapt from external or internal developments and use these insights to inform your existing security policies and procedures.
By learning and adapting to events, businesses organizations will be able to better anticipate if a security breach is imminent, for example, traffic spikes on a “quiet day” can lead security teams to analyze web server logs.
Leadership teams that deploy this practice can help set up their business or team for cyber security success in the long term.
Cyber security is often driven by compliance, regulations or even law like the GDPR. By learning and adapting to what’s going on around your team, you can ensure you’ll be best placed for security threats or incoming legislative changes!
It can be beneficial to have your cyber security processes and procedure baked into your HR policy Click To Tweet
“We must employ domain experts!”
You could be forgiven for thinking you simply need to recruit the best security experts and you’ll be fine. The thing is though, and we touched on this a little earlier – cyber security isn’t assigned to just one department, it needs to be baked into your company’s culture and your employees’ attitudes.
Quite often, cyber security is seen as a specialist profession. While you’ll need security professionals to segment your production environments from your DMZ, close certain web server or database ports in your firewall, there’s no getting away from the fact that if employees have the mindset of “IT deal with that”, it can lead to a false sense of security. With this in mind, it can be beneficial to have your cyber security processes and procedure baked into your HR policy thereby ensuring that everybody in your business or organization is aware of “doing their bit” to help reduce the chances of a cyber security threat from taking place!
In this article we’ve looked at some of the most common cyber security mistakes that businesses might make. We’ve looked at how achieving a 100% risk-free environment is nigh on impossible, but having a more strategic approach to cyber security can help you still operate safely despite this.
We’ve also seen how that even if you have the best tools on the market, hackers are always finding loopholes in operating systems or software and how one of the best lines of defense for your business is by changing your company culture, raising awareness of threats and by performing a risk assessment in the event of a system breach.
Here at Growth Acceleration Partners, we have extensive expertise in many verticals. Our nearshore business model can keep costs down while maintaining the same level of quality and professionalism you’d experience from a domestic team.
Our Centers of Engineering Excellence in Latin America focus on combining business acumen with development expertise to help your business. We can provide your organization with resources in the following areas:
- Software development for cloud and mobile applications
- Data analytics and data science
- Information systems
- Machine learning and artificial intelligence
- Predictive modeling
- QA and QA Automation