Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/22/2018
10:30 AM
Tim Bandos
Tim Bandos
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

9 Steps to More-Effective Organizational Security

Too often security is seen as a barrier, but it's the only way to help protect the enterprise from threats. Here are tips on how to strengthen your framework.

Having a robust and well-defined organizational security framework — one that focuses on both information technology and security — is crucial for fulfilling business requirements. Too often security can be viewed as a barrier, but ultimately, it's the only way to help protect the enterprise from threats and avoid a data compromise.

Here are nine helpful ways to build out your framework:

1. Take a risk-based approach. It's important to take a risk-based approach, especially with employees. Take time to identify which employees, from the top all the way down, represent the greatest risk if a compromise were to occur. Not every employee is created equal when it comes to risk. Some employees have domain administrative credentials across the whole enterprise. Others are the data custodians of critical information and have a surplus of sensitive trade secrets to maintain. You can make the necessary adjustments later, but determining where the most risk resides should always be one of the first things done in an organization.

2. Provide incentives for good behavior. Another important step, developing a security awareness program, can often feel like an effort in futility. Simply communicating what's expected of an employee from a security perspective or foisting a campaign on users isn't always effective. Organizations commonly deploy one-size-fits-all approaches that rarely succeed in altering employee behavior over time. These types of campaigns don't need to go away — they likely never will — but they should give incentives to participants and reward good behavior. Users shouldn't get shamed for accidentally clicking on a phishing link. Instead, they should feel like they play a pivotal role in strengthening the organizational control of a company.

3. Incorporate technology. That doesn't mean it's not good to take some decision-making work away from employees. If you're relying on an employee to do the right thing all the time, you're going to fail eventually. Some see security as a burden on a user, but it doesn't have to be like that. Technology, the more transparent and seamless the better, can help take the guesswork out of situations. Having a well-balanced security strategy paired with those technologies should be the goal of every enterprise.

4. Stop and think. Employees should learn to adopt a stop-and-think mindset. If an employee receives a phishing email, she should pause and ask herself "Is this something I should be doing?" before clicking through. The routine should become habitual, almost instinctive over time. An employee can be the last link in the security chain, but if that person clicks on something malicious, that chain is broken and has opened up the enterprise to a possible breach.

5. Assign a leader. Depending on the size of a business, it could prove beneficial to assign a security leader to each segment across the organization. The leader can confer with other leaders and collaborate on pressing security issues. Every time users have a question — about a potentially malicious link or any other issue — they should be able to ask someone about it quickly. Without a leader, someone dedicated to answering questions, users could be tempted to click on that link, something that could lead to bad decision-making behavior down the line.

6. Get other departments involved. Organizational security doesn't need to be confined solely to the IT department. It's important to leverage resources you have internally. The marketing department can even play a role. One of the main goals across an organization should be to build a security brand within the company. Tapping into the marketing department, a group of individuals that knows how to position itself, what reaches people, and how to measure it, can be enormously helpful.

7. Set up policies. Some of these suggestions may sound esoteric, but at the end of the day, employees still need to answer to something. That's why policies need to be set up and enacted. If you don't hold employees accountable for their actions — what sites users can browse to, what they're allowed to do on their machine, etc. — all of this will be for naught.

8. Refer to published frameworks. When it comes to published IT management frameworks, there are some great guides already on the books. The National Institute of Standards and Technology (NIST) has some guidance. Control Objectives for Information and Related Technologies, or COBIT, an auditing/compliance framework, can also help outline governance and management practices. Not everything may make sense for your company or your organization, but developing your own policies on the fly is never a great idea. Align with industry best practices; after all, they're considered best practices for a reason.

9. Take your time. There's no reason to rush. This isn't something that happens overnight. It can sometimes take years for a company to deploy a successful security awareness campaign. Corporations too often take a tactical approach while rolling out campaigns when they should be more realistic. Take a strategic approach and plan over the course of several years, not months.

Related Content:

 

Tim Bandos, CISSP, CISA, is Senior Director of Cybersecurity at Digital Guardian. He has more than 15 years of experience in cybersecurity, with expertise in internal controls, incident response, and threat intelligence. Prior to joining Digital Guardian in January 2016, Tim ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.