For Security, Focus on Risks, Not Tools
There is no such thing as perfect safety in the world. Not in the real world and not in the physical world. In fact, the risks—which have never been small—are getting worse. When one security vendor put up new servers as a test, all were discovered and attacked within hours; one was attacked in less than a minute. All the attacks were ongoing and relentless.
Because there’s no way to guarantee safety in that kind of hostile environment, information security teams can’t focus solely on defensive strategies that attempt to guarantee safety. Instead, they need to take a risk mitigation approach that analyzes weaknesses, prioritizes vulnerabilities, aligns resources with risks, and plans responses to a successful attack.
Decide Where to Focus Your Efforts
It isn’t possible to protect everything, nor is it even possible to evaluate the risks of everything. Instead, begin by identifying the critical systems that handle sensitive information and focus effort on the risks a breach of those systems would create. There are many kinds of risks, ranging from impact on your ability to execute your business, damage to your company’s reputation, and failure to be in compliance with laws and regulations.
Identify Specific Threats and Impacts
For each of the critical systems, evaluate the major threat categories. These include access by unauthorized users or improper use of access by authorized users, data leaks, and data corruption or loss. The impact of each threat can be assessed, along with the existing controls in place to contain those threats. You should also consider how likely it is the system will be exposed to this threat and prioritize the need to respond to each risk. With these insights, you can plan additional strategies to reduce the risks down to acceptable levels.
Put Defensive Measures in Place
With threats evaluated, you can begin to put defensive measures in place. But remember: you can only mitigate risks, not achieve perfect security. That means that it’s important to have a continuous process in place for assessing risks, so you can change your strategy as the risks evolve. Periodic vulnerability assessments are one solution; penetration tests are even more effective.
Plan Your Response to Attacks
It’s a sure thing you’ll experience an attack, and there’s a non-negligible chance an attack will be at least somewhat successful. Develop an incident response plan that ensures your staff knows what to do after a breach, and give them the training needed to execute that process effectively.
Contact Prescient Solutions to learn more about implementing an effective approach to information security. Our IT managed services help Chicago and Schaumburg area businesses develop strategic approaches that address today’s IT challenges.