To have a secure organization requires deliberate planning and strategy. It’s not good enough to simply focus on systems. A good company strategy for security includes technology, processes, and people as the three cornerstones of a good company security strategy. In this article, we’re going to discuss how to develop an effective organizational security strategy that promotes a good security culture.
The single biggest weakness in any organization’s security strategy is the “human element” of security. Systems and technology are generally very secure once it is configured correctly, this is because technology doesn’t make its own decisions. This means that it’s typically much easier to create secure systems than it is to create secure employees. Social engineering is the process of using psychological manipulation to cause people to perform actions that can be used against an organization. It’s estimated that between 70-90% of all data breaches involve social engineering. This means that in order to create a truly secure environment you must have security at all levels of your business, not simply the security team or the IT staff. Non-security related employees represent one of your biggest threat vectors as a business and it cannot be overlooked. We like to describe this as having an “all in” mentality, this simply means that every area of your business needs to be trained and conditioned to be secure. Otherwise, hackers will simply attack your weakest area in order to gain access to your company. As the old saying goes “you are only as strong as your weakest link”.
In this section, we will discuss some of the basic organizational strategies you can use as your first steps to implementing security and building a security roadmap. This will include simple solutions that will drastically reduce the likelihood of your company falling victim to a cyber attack.
This is the practice of identifying the risks and threats associated with the different areas of your business. It’s important that you understand the most likely threats to your organization so that you can plan ahead in implementing security controls that will help to mitigate those risks. Threat modeling should be routine for the entire network and whenever new technology such as a new web application is being developed as part of the Software Development Lifecycle (SDLC).
Having a secure password is one of the first lines of defense for your organization. With modern password cracking software, weak passwords can be cracked in a matter of minutes, making it an easy entry point for hackers. To prevent this the best thing to do is to create a mandatory password policy, which will dictate the type of passwords that your users must create. Industry standards vary but generally, a strong password should be at least 8 characters in length, contain at least 1 upper and lowercase letter, 1 number, and at least one special character. This should be the minimum standard for your organization when it comes to password complexity for your user accounts and we recommend that you increase the length to at least 10 characters for special accounts such as administrator accounts. You can use free tools like the secure password checker to see how strong your password is and roughly how long it would take a hacker to crack that password.
Software updates are one of the simplest ways to reduce vulnerabilities in your organization. Whenever security vulnerabilities are found in software the vendor typically releases patches to fix those issues, you must have a process for detecting and implementing these patches to keep your systems as secure as possible. If you would like further guidance on how to properly implement patch management the national institute of standards and technology wrote a guide to patch management for businesses to follow.
There are three forms of authentication: 1) What you know 2) What you have 3) What you are (biometrics. 2-factor authentication is the use of at least two of these forms of authentication to make it more difficult for someone to compromise your account. This usually means adding either option 2 or 3 alongside your traditional username and password to prevent hackers from compromising your accounts. This is commonly in the form of a software token generated from a software app like Microsoft authenticator but it can also be a hardware device, biometrics, or other methods.
Information sharing refers to taking care to limit how sensitive information is shared within your company or with third parties. When dealing with sensitive information it’s important to implement the principle of least privilege that mandates that you only share information with people who need that information to do their job. This is important from both a security and compliance perspective. To do this effectively you need to have a consistent means of classifying data in order to understand its level of sensitivity.
You must provide education for your employees on how to securely perform their job functions. At a minimum, each employee should be made aware of three key things. First, they should understand what a phishing email is and how to detect them. Second, they should understand the danger of downloading file attachments, enabling macros, and navigating to suspicious websites on company machines. Third, employees need to be taught how to handle sensitive company information. Depending on the job of the employee, customer information may be subject to certain regulations and access to that information should be limited within the business.
As discussed in our Why your Organization Needs an Employee Phishing Campaign and How to Build One article, phishing simulations are an important part of your organizational security strategy. In this section we briefly summarize how to get the most out of your campaigns.
To get the most out of your phishing simulations you need to have good metrics. You need to be able to measure how many emails were sent, who they were sent to, how many were opened, how many were reported and attachments downloaded. This will help you to get a good understanding of your organization's security awareness among its employees.
When it comes to building a phishing simulation you have two choices. You can outsource it to a company that performs that type of work and let them manage the campaign. Secondly, you can use specialized software that allows you to create these campaigns and manage them yourself. Once you’ve decided on a method for building your campaign you want to use your first simulation to establish a baseline of what percentage of users fell victim to the campaign. Once you have that number, you can implement a security awareness training program and then retest your employees to verify that the training was effective. If the training resulted in lower rates of emails being opened and attachments downloaded then the training was a success and if it doesn’t then you need to reevaluate the training that you are offering your employees.
Company security policies are things that mandate how the organization should function. This includes things like password policies, hiring procedures, termination procedures, data handling, and other security features. These are important for controlling how employees will implement security in your organization. Another important feature is to do proper security screening of employees during hiring to ensure that you hire the right people for your organization.
Personal Information Protection and Electronic Document Act (PIPEDA) is a compliance regulation that applies to all private sector organizations in Canada. To ensure compliance with PIPEDA you must uphold their 10 key principles:
1) Appoint a PIPEDA Compliance Officer
2) Have a clear purpose for all data that you collect
3) Obtain meaningful consent before collecting data
4) Limit Collection to what is necessary for business purposes
5) Limit use, disclosure, and retention to what is necessary for business purposes
6) Have processes for detecting and correcting inaccurate customer information
7) Have appropriate security safeguards
8) Be open about your information management practices
9) Allow individuals to access their information
10) Allow customers to challenge your compliance with PIPEDA practices
In addition to PIPEDA, you need to be wary of other provincial and international policies that can also affect your business. HIPAA is a compliance regulation that affects companies that collect healthcare information while GDPR affects companies that collect information from anyone living in the European Union. SOC2 and ISO27001 are important accounting compliance standards that require the implementation of security controls, processes and procedures. It’s important to understand and adhere to these compliance standards.
Measuring the results of your cybersecurity program can be difficult but it is not impossible. As we discussed above for security awareness, phishing simulations allow you to measure how your training program has increased your employees' resilience to phishing emails. This is the best way to measure your company’s overall security awareness. In terms of general cybersecurity metrics, it’s good to measure your company’s mean time to detect security incidents, mean time to resolve security incidents, and have routine penetration tests to see how many vulnerabilities exist in the organization.
Having a good organizational security strategy means a commitment to both technical and human elements. It’s not good enough to secure your organization’s systems while neglecting the human element. In this blog post, we gave you practical tips on how to secure both your organization’s systems, and human users and how to measure the results of your efforts so that you can demonstrate ROI to upper management and stakeholders.