How to Create a Culture of Security

Organizational security should be the responsibility of all employees, contractors, and vendors. Getting to the point where everyone feels security is as much a part of their role as checking email, takes an organized methodical approach. While everyone is responsible, a singular person should be identified to lead, manage, and ensure the initiative is successful.

All parties having a “healthy sense of paranoia” coupled with good processes and systems will create a strong organizational immune system. Below is an in-depth and model approach to encompassing security into everyday processes.

Onboarding

On an employee’s first day have a conversation to impart the criticality of good security hygiene and create that initial “Healthy sense of paranoia”

Training

Provide regular, ideally monthly, training videos on phishing, data privacy, passwords, and situational awareness. Quarterly test your staff with internal fake phishing campaigns to evaluate the effectiveness of the training.

Device Controls

IT should enforce agreed-upon security measures to staff technologies in order to prevent an incident. Such measures could be laptop encryption, two-factor authentication, use of improved Antivirus known as EDR (Endpoint Detection and Response), and removal of local administrative rights. All devices that have access to company data and systems should be managed by Device Management Software.

Securing Systems

All technology systems should be configured based on best practices, updated regularly and on-demand for security updates, and reviewed and tested twice a year by an outside party. This includes Firewalls, Servers, and companywide software.

Cyber Insurance

Unfortunate events can still happen to the most prepared, that’s why we buy Insurance. Coverage should extend beyond the ransom fee and include recovery expenses, loss of revenue, and start no less than a million in coverage. Compare at least 3 policy proposals and review all the options and add-ons carefully.

Policies

Your organization may already be required to have some data security policies in place based on your industry, state, or Cyber Liability requirements. The right policy will help keep staff accountable and protect the organization, consult an expert to determine what is right. Review your policies annually, update them accordingly, and train your staff. We are finding more regulatory bodies are requiring Privacy Polies and Data Classification Policies in addition to Security Policies.

Procedures

An appropriate and well-written procedure finds its value in times of need. It focuses on what’s most important, gives clear and concise instructions on how to proceed, and is the voice of reason when tensions are high. We recommend having at a minimum Disaster Recovery, Incident Response, and Change Management Procedure. We also recommend documenting processes for security-related tasks such as user exits, access privilege elevations, and new system setups.

IT Department

From a security standpoint, the IT staff should be the most paranoid and vigilant. They should be up to date on best practices for all the technology in the Company, treating administrative privileges with the utmost caution, and continuously improving along the way.

Automation technologies are more readily available now than ever before and the use of automation reduces the risk of human error. IT should look to automate as much of the above as possible, from user setups and exits, system maintenance, security review, and even guided reminders to review policies. If you would like to learn more please contact us at insource@insourceservices.com or 781-235-1490.