In the U.S., October marks National Cyber Security Awareness Month, and as the New Year fast approaches, small and medium-sized companies are either starting or in the middle of planning their corporate strategies for 2015. Given that 2014 was another banner year in data breaches, it is fair to assume that information security should be a high priority for SMBs this planning season.
Invariably, most information security planning conversations begin with technology investments, as we are programmed to equate security protection with hardware and software investments to keep our data safe. However, as criminals and attacks evolve, so should our approach to information protection. We need to implement pragmatic methodologies that help us allocate resources more effectively. This is especially more poignant for SMBs who are typically squeezing the return from every dollar invested.
As you plan for how to tackle your security objectives in 2015, here are some key considerations to evaluate:
Data Security – No one size fits all: Not all data is of equal importance when it comes to security, and taking a one-size fits all approach to data security is not practical. This is why information security standards like ISO 27001 require a data discovery and classification exercise. In this activity, you are simply determining what data types are passed through your organization and using a scheme that makes sense to your organization to classify your data in order of importance. For example, if I am a small EMR (Electronic Medical Records) startup processing sensitive patient information, then locating and classifying this type of data should be of the highest priority.
Review Your Value Chain: Most companies rely on a value chain of vendors and activities to get their product to market. This means that sometimes, sensitive information needs to pass between different entities. The standard way for managing the risk of 3rd party disclosure is through an NDA (Non-Disclosure Agreements), but in my experience, these are rarely enforced. NDAs are still an effective way to detail policies for the processing of sensitive information, but it is highly recommended to perform at least an annual review of how entities in your value chain are actually transmitting, processing, and storing your sensitive information. This is important because as long as you are the official controller of that information, you are accountable for any breaches, even if it occurs due to the poor controls of a 3rd party.
Invest in Response: Security controls fall into three large buckets: preventative controls, detection controls, and response controls. Most companies focus on the preventative controls, that is, how to protect the organization from a data breach. In addition, there is a growing market for systems (e.g. SIEMs, IDS, and log management systems) that can detect when you have been breached. However less attention is given to response controls. Response controls require you to map out actions and activities to follow in the event your sensitive information is compromised. These could include whom to notify, what logs to preserve for further investigation, and when to engage law enforcement. I recommend that your organization spend the time to develop a response plan and spend time performing dry-runs of that plan so that everyone involved gets experience in the plan’s execution. Having a well thought out response plan could mean the difference between staying in business or folding after a significant breach.
The Sunk Cost Fallacy: Every company, no matter its size, has to deal with the sunk cost fallacy in which business leaders convince themselves that we need to keep on a certain trajectory because we’ve already made the investment. No one wants to be seen as the person wasting resources, but it is important to ask hard questions that determine if the investments we made in previous security programs are still fit for purpose. For example, the firewalls and anti-virus systems you bought 5-7 years ago are not as effective on today’s attacks, but companies still invest annually in administrative and maintenance expenses to keep these systems going. It may be time to make the bold move to stop the cycle and examine if your security program is built for today’s reality. If it is not, then do not be afraid to make the decision to stop funding an ineffective strategy.
Report on Performance: Just as Finance teams use balance sheets and income statements to report on periodic performance, your security program should have a similar approach. For 2015, set up a scorecard for your security investments, so that this time next year you will have a better sense of how to address your gaps in 2016. These metrics do not have to be sophisticated, they just have to report on the effectiveness of your security program. For example, you can simply track the number of times a non-compliance of your security policy was recorded. Metrics are essential in measuring the return on your security investment, and will help make next year’s planning process more targeted at your underperforming areas.
These considerations are not an exhaustive list of elements you should consider for your 2015 security planning, but they do represent areas that are often ignored when planning a security program.
U.S. National Cyber Security Awareness Month Blog Series:
Week 4: 5 Key Security Considerations for SMBs in 2015