If you thought your organization was too small to be affected by cyber-crime, it is safe to assume that the WannaCry(ptor) ransomware attack was eye opening. Malware (which includes ransomware), credential theft, and other common cyber-crimes aren’t just targeted at Fortune 500 companies – they are looking for targets of opportunity. Regardless of size, you are just as likely a victim as the big guys. It’s time to take our heads out of the sand and start talking about this.
Taking security seriously doesn’t mean you need to invest $250,000 in a solution. It starts with making every executive and manager in your company aware that going forward you will, as an organization, be committed to improving your security posture. Start by providing education to your leadership of the risks and make them responsible for dissemination of this information to subordinates. This cultural change will become the foundation of future security initiatives.
In order to improve you will first need to find out what needs to be changed or improved. Although your IT department may be capable of answering questions regarding what security mechanisms are in place and to what standard configurations are built, we would highly recommend using a third party consultant to make this determination. IT departments that have long faced cultural challenges may find your request as adversarial or as an accusation their work is insufficient. This does not need to be as expensive as an audit! You are looking for a consultant that knows what a secure environment should look like preferably based on a respected standard like NIST, SANS, or CIS. When we are talking about cyber-crimes that target low-hanging fruit; it is crucially important that we start by identifying and remediating those issues. We can worry about edge-case risks later. You need to be prepared for the fact that your obvious vulnerability may not be technical but personnel.
With an assessment complete you should now have a good idea of what needs to be done to get your environment in shape. Have IT identify the time cost, financial cost, and culture cost of the changes needed and work together on building a roadmap for remediation. We do not recommend making the roadmap public knowledge within your organization but instead, make everyone aware that changes are being made, the changes have the full support of leadership, and that everyone is required to cooperate. If your organization is large enough, give employees the opportunity to comment on how an upcoming change will affect their work process. Valid concerns should always be addressed during the planning phase but never allowed to supersede or weaken a solutions security.
If you follow this process, you will quickly advance your organization’s security beyond where most companies currently are and become a less attractive target for cybercriminals.
As always, we are here to provide you with the guidance and support you need to protect your business from cyber-crime. To learn more about our ASK Live Security Monitoring solutions, contact us at (517) 676-6633.