General security

8 ways to improve your organization’s security posture

September 3, 2019 by Daniel Brecht

Many businesses are still unprepared for deterring actual cyber-related attacks against their network, mobile devices, cloud systems and physical entities (IT infrastructures and computers) through flaws or user errors, and attackers will look to exploit any of them. Fortunately, there are effective and affordable ways to reduce the organization’s exposure with a coordinated security program that can have a material impact on their information security readiness and on the capability of staff to deter potential attackers. Preparing the workforce to protect their environments is key!

As much as it is important to have in place all security measures to safeguard the information systems infrastructures, hardware and software alone cannot withstand the attacks of malicious hackers that are becoming savvier and savvier. A number of other considerations must be made, including correcting weaknesses in staff training. 

A good education program to create security-aware users who can pay attention to the areas of vulnerability is paramount to harden the weakest link of the cybersecurity chain (the user) and help keep the organization safe from cyberattacks. Humans, not hardware or software, are taking a more precise role today as the first and last line of defense against cybercriminals.

So what can an organization do to improve its security posture? Below are a few best practices, listed in no particular order, that can serve as an approach for any business to be safer and more secure in their environment.

8 best practices to enhance your security program

1. Develop or improve a security plan

It is paramount to have a well-devised plan that covers the organization’s cyber-risk management strategy and also addresses how the business can recover quickly if an incident does occur. Such a plan needs to include the identification of possible risks and areas that need protection; it should define roles that personnel will have in response to different security events, as well as checklists of actions that need to be made periodically and/or that should not be allowed.

2. Conduct a comprehensive risk assessment

No planning can be completed without a full understanding of what the cyberthreats and vulnerabilities are that concern the business and individual sections. Only after identifying the specific needs of the company, it is possible to devise the correct technical solutions but also the needed policies, what to address in security plans and in security awareness education for employees. 

Only after evaluating all events, cyber-issues and vulnerabilities believed to be a concern and consolidating the results of risk assessments can a company can shed light on what staff needs to monitor, control and eventually manage to minimize potential data breaches that might have an impact on the organization as a whole. A good risk assessment can help devise proper plans to quickly recover from attacks and system downtime while improving an organization’s security strategy.

3. Establish relevant technology infrastructure control activities

It is important to convey to employees the importance of employing the appropriate security controls. In securing the IT infrastructure, developing and maintaining security controls can stop an attack before it happens. 

The ISO/IEC TS 27008:2019 provides guidance on reviewing the implementation and operation of controls, while the ISO/IEC 27002:2013 takes into consideration the organization’s information security risk environment(s) that can help small, medium and large businesses in any sector develop their own information security management system (ISMS) through the implementation of ISO/IEC 27001.

4. Check and revise information security policies and procedures (P&Ps)

Ensure the P&Ps support current business practices and expectations. Having updated policies and a well-established set of procedures can address the security and compliance needs of the organization by guiding workers in how they can protect and control the information systems. Cybersecurity-enforced policies and directives need to be clearly conveyed to all staff so that they can understand why things are done in a certain way and the importance of not deviating from the established procedures.

5. Evaluate the security of an IT infrastructure — employ a pentest

Finding weaknesses by leveraging Breach and Attack Simulation (BAS), “a category of tools that simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture” (as Gartner defines) is a great way to evaluate the organization and staff readiness. Pentesting is an effective way to evaluate the security of a computing network and applying the lessons learned to improve the level of resilience to risks. A pentesting effort can quantitatively assess and measure threats to information assets by presenting the information resulting from analyzing incident-related data and determining the appropriate response to the incident. 

Human-based techniques like pentesting can be a suitable security practice for assessing defenses and uncovering weaknesses in infrastructures and applications. But by being able to look for vulnerabilities in less traditional ways, it can also identify weaknesses in user response, needed training areas and, if performed before and after an education campaign, how effective the training effort was.

6. Raise employee cybersecurity awareness

The obvious way to create and nourish a healthy security culture! Organizations of all sizes and industries are vulnerable to cyberthreats; therefore, safekeeping information assets from phishing and ransomware, for example, will require users’ awareness of these threats and the ability of the workforce to mitigate risks. 

Building a cyber-aware staff means addressing the resilience of the human element of cybersecurity. It is vital for employees to be prepared to handle threats that slip through the network perimeter controls, so it is beneficial to implement a security awareness and training program for the members of staff by following guides such as the NIST Special Publication 800-50. 

As mentioned in The Components of Top Security Awareness Programs, “an effective cyber security strategy and implementation plan to sustain security operations from pre-incident to post-incident starts with educating personnel in data breach prevention and response.”

7. Find creative ways to educate your workforce in IT security

Companies need to find ways to really emphasize the importance of security awareness, but they also need creative ways to reinforce knowledge acquired through formal in-class and online training. Using tools that consist of various modules and simulations for any industry and needs can be a great resource to train personnel and empower them to be the front line of defense against cyberthreats. 

8. Identify and empower a readiness champion

Why not become your own security champion, identifying an individual or a team responsible for leading all security-related activities? This person will be the driving force behind the effort of incorporating good security practices into all aspects of a company’s daily operations and development processes. 

The person chosen for the role will need to have significant information technology/cybersecurity responsibilities and fully understand the information security needs of the organization! He or she must be a good role model to co-workers for safe work practices and behaviors and empower other employees with the know-how to prevent cyber threats and help protect the company from attacks. Designing A Security Champions Program can help make incremental progress towards resilience.

Conclusion

These eight best practices can really help build a cyber-resilience strategy and improve the security posture of any organization. It is clear, however, that it’s important to create a culture of security awareness across the organization and among employees. This is really the best way to provide a constant barrier that deters cyberattacks that take advantage of human behavior.

A serious breach can result in data loss or potential damage to the IT infrastructure and have adverse effects on essential company operations and on the business itself through the loss of confidentiality, integrity or availability of informational assets. 

An effective cybersecurity strategy and implementation plan starts with educating personnel in data breach prevention and response. Any organization needs to invest in and implement a regular employee security awareness program that can convey to the entire staff, regardless of role and department, their responsibility in protecting the workplace against a breach or targeted attack.

There are several aspects to consider when creating a sound security program. Consider involving the entire workforce through training and exercises that address any IT-related threats and vulnerabilities effectively, performing periodic assessment of the risks and potential issues specific to the business, or employing the help of an appointed internal security champion to help incorporate good security practices. 

An organization‐wide risk management and security program requires, of course, the strong commitment, direct involvement and ongoing support from senior leaders/executives. In fact, such efforts are constant and permanent and require continuous evaluation, funding and support. Inconsistency will cancel out any steps forward and opens the organization to increased risks.

Sources

Posted: September 3, 2019
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *