Your IT people cannot protect your corporate information, even if they do their jobs perfectly.
Here’s what can.
Protecting your corporate information is not just an IT matter. It goes beyond firewalls and anti-virus software. After your IT people do everything they should to protect your data, thieves can still steal it. To really protect it, you have to add company-wide security policies and physical security precautions.
Here are the steps you need to take to make your data truly secure. BCSS can help you take any or all of them.
Choose the proper security framework
First, you have to decide what “secure” really means for your company. Your security framework is your roadmap. It shows you where you are now, where you need to be, and how to get there. If you don’t have the framework, you can’t really answer the question, “Is our information secure?”
BCSS can help you choose the right security framework based on the widely-used framework written by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). (NIST standards are vendor-neutral; they aren’t trying to sell you a single thing.)
Some businesses don’t need to choose a framework because they have a security framework imposed upon them; either by an industry association, PCI, regulations like HIPAA, or by customers who are increasingly demanding tighter data security from their vendors. If that’s the case, we can help you navigate that framework, understand exactly which parts apply to you and show you the easiest, most efficient ways to comply with them.
Part of choosing a good security framework is a decision about your risk tolerance. Some companies need to be absolutely as tight as possible. For others, that doesn’t make economic sense. We can help you decide where to set the bar.
Once you have a security framework and you know your risk tolerance, the next question is: Who’s going to be responsible for this?
Decide who will “own” security
Protecting your information requires decisions at a level higher than IT—decisions by people with the authority and the spending power to back them up.
You need to appoint a Security Officer. It need not be a technically-trained person. Working with a team that includes HR, Finance and IT, your Security Officer’s job is to understand the security framework and make sure everyone is living by it.
The Security Officer can’t be a consultant. It has to be someone inside the company and high enough up to give direction to all departments.
If your company’s systems grow to a certain size and complexity, you will also need a Chief Information Security Officer (CISO) who is trained in both security and IT management. This job can be filled by a consultant, and because the mean salary for CISO’s is over $200,000,1 many companies use part-time consultants as “virtual” CISO’s. BCSS can provide someone with long experience as a CISO to do it for you.
Never stop working on security
Security isn’t a solution you boot up and leave alone. Your people, your customers, your technology, laws, and the power and sophistication of cybercriminals are changing all the time, so your way of protecting your data has to change with them.
Security is not an end-point, it’s a process with three different phases that must be continually repeated: Assessment, Remediation, and Monitoring. BCSS can handle any one or all three of them for you.
Phase One: Assessment
The first phase is an assessment of your physical security, your virtual security and the adequacy of your company’s security policies and procedures. The assessment answers the questions, “Are we living up to our security framework? And if not, what needs to change?”
Physical security: We’ll physically search for ways that someone, anyone, could get the information they should not be allowed to have. Are your servers behind locked doors? Are any workstations accessible to visitors? Are workstations left logged in while people are away from their desks? There are hundreds of places to look for these cracks in the wall.
Virtual security: We’ll search your network with vulnerability scanning software tools. They’ll uncover things like devices you didn’t know were connected, devices that have not been updated with the latest security patches, and whether a poor network configuration has left you vulnerable to hackers.
Security policies and procedures: We’ll search for risks by asking questions about how things are done. When someone leaves the company, what do you do with their laptop and phone? How do your people use flash drives? What do you do with old computers? Do you have a written procedure for on-boarding new users? Can you confirm that these steps were done and by whom?
A security assessment needs to be done every year (or perhaps more often) because the risks are always changing and because people get complacent.
Phase Two: Remediation
To begin the remediation phase, we’ll make a basic plan for neutralizing the risks that were uncovered in the assessment. (And risks are always uncovered.)
We’ll discuss the remediation plan with your Security Officer, and you’ll need to decide who will tackle each remediation task. If your internal team has the time and expertise, they can do it all. If not, we can do it all or we can collaborate with your people and divide up the tasks. In any case, we can serve as your project manager to make sure the work gets done right.
Remember that remediation isn’t just fixing the technology; you need to get the business practices right, too — security awareness training, procedures for on-boarding and terminating, checks and balances to make sure your people are walking the walk, and many others.
Phase Three: Monitoring
Monitoring is needed because security is a moving target. What kept you safe last month, may not work this month.
Different companies need different levels of security monitoring. The most basic level would be to refresh the security assessment each year. Beyond that, you might need to add more advanced firewalls, security monitoring systems, login systems, intrusion prevention systems or other proactive scanning systems. If your organization is subject to compliance rules like HIPAA or PCI, or you hold very sensitive data, you may need to outsource monitoring to a Security Operations Center (SOC) with full-time security people who have more training than most IT people.
BCSS can set up any level of monitoring for you, from basic to maximum. And we can connect you with top-level SOC’s and manage their service to you.
GET EXPERT HELP
Four reasons to call BCSS:
1. We have trained, experienced security experts. Cybersecurity is more than plugging in the right devices and reading the right protocols. There’s an element of detective work in it, and some people are better at it than others. We have those people.
One of our Cybersecurity Consultants is a Ph.D. engineer and an Associate Professor in the University of Maryland’s Cybersecurity Graduate Program.
Another of our Cybersecurity Consultants is an MBA with 30 years of experience in IT including service as Virtual Chief Information Security Officer for several companies.
Ron Searle, President, and founder of BCSS has masters degrees in project management and business and 30 years in IT work. He has served dozens of companies as Virtual Chief Information Officer.
2. Our work pays for itself because good security saves money. You may never suffer the disastrous kind of data breach that puts you out of business, but even a “little” breach can cost hundreds of IT man-hours cleaning up the mess — many times the cost having BCSS prevent the mess in the first place. Note that in a study of 419 companies that experienced a breach, the average cost was $3.62 million.
3. And we can save you even more money because we are a family of companies. Our sister companies do IT management, cloud computing solutions and cost reduction studies. BCSS could save you a lot of time and money if you need those services because we would already be familiar with your IT systems and your company’s ways of working. And there’s no obligation to use our sister companies.
4. It costs nothing to talk. Tell us your security worries, and we’ll give you a proposal on how we might be able to help. It’s free.
Call us today. Hackers work from every time zone.
How an IT tech saved half an hour and lost $197 million.2
In March of 2017, Homeland Security warned of a security flaw in a widely used piece of business software. A patch to the fix the flaw became available that same month, but one user of the software, Equifax, didn’t install the patch everywhere it was needed, a task that would have taken about half an hour.
Two months later, cybercrooks used that flaw to get into Equifax’s systems and steal personal information on 143 million people. Equifax didn’t notice the breach until almost August. Cybercrooks had months to do their work and dig deeper.
The breach would have easily been prevented by a policy of checks and balances (automated scanners, for example) to make sure security updates are installed promptly.
Equifax said the breach had cost $87 million by November and might cost them another $110 million before it was over. Others think the number is higher. It also cost the CEO, CIO, and CISO their jobs.
- Forbes Magazine, “Top Cyber Security Salaries In U.S. Metros Hit $380,000”
- ZDNet, November 2017, “Equifax spends $87.5 million on data breach, more expenses on deck“
- 2017 Cost of Data Breach Study, Ponemon Institute