In this globalised and digitised era where practically anything can connect to a network, no company is completely safeguarded against attacks. The “always connected” way of life where the limits between our private and professional lives are blurred, only adds complexity to the situation. Also, our daily business activity is based on technologies like mobility, IoT, cloud, virtualisation, artificial intelligence, etc., which forces us to make a bigger effort to protect assets, including customer and vendor data, oftentimes in an unknown and complex environment.
It Is Easy to Attack
Today any hacker has numerous possibilities of starting attacks of a great variety. You don’t even have to be an IT expert any more to carry out an attack. Also, vulnerabilities may be the result of an erroneous configuration or the faulty protection of equipment, or even the wrong use of it. Faced with this scenario, it doesn’t make sense any more just to protect against potentially sophisticated attacks or those directed specifically towards our specific business. Any company can be a collateral victim of an attack directed towards other companies, industry sectors or geographical regions. This obliges us to monitor not only the protection of our own company, but also avoid that it becomes the weak point of a connected system that if attacked could also affect a third party.
Absolute Everything Cannot Be Protected
When it comes to which assets to protect, we should have in mind that it is not possible neither to protect everything nor eliminate all risks completely. This requires priorisation, starting with the most important first. Each company knows its own assets best and which of these are critical to its daily operations. This is why, in order to guarantee the correct functioning of the company, it is recommended that any vital resources and data are properly identified and protected first.
The Creation of a Security Culture
With this back-drop, it becomes clear that all companies need to develop a security strategy that involves departments across the entire company, as well as all systems and tools, and that specialised methodologies are employed by security experts. This work should result in procedures that all employees both know, understand and also follow. This implies training of all staff and employees. Only this way will it be possible to create a company culture where everybody contributes to maintaining an adequate level of security and is able to detect breaches or suspicious incidents. This plan could even include training of customers that use your organisation’s infrastructure, products or services.
The Contingency Plan
Last but not least, a contingency plan should be developed in order for the company to be prepared and ready to act in case of a successful attack. If or when an incident occurs, the objective should be to re-establish the daily activities and return to business as usual as soon as possible and with minimal damage. This plan should also be put to the test via practical exercises in order to learn how it works and fine-tune it, and also adapt to changing conditions.
Legal and Competitive Implications
Even though the responsibility of developing an integral security plan in any organisation sits with top management, it’s not sufficient just to initiate the process and delegate its execution and maintenance to the department responsible for IT and Communications. When we speak about security, we should all feel committed. We all need to know the dangers that could affect us, and in case they materialise be capable of detecting them and act in consequence. Top management, on their side, must assure the employees receive the training required and facilitate the tools needed for protecting the company and its assets. Most importantly, it must report any incidents to the authorities complying with the current applicable law.
There are many good examples of companies that are ahead of the legislation and developing best practices. Some of these are able to maintain high levels of security as they voluntarily undergo audits performed by external companies specialised in evaluating risks and identify vulnerabilities. The ones at the forefront have a competitive edge, as security is not seen as an obligation to them. On the contrary, this is perceived as a way of creating a loyal customer base, by showing them in practice that they could not be safer with any other company.
This article was first published in Spanish in Computing.es on November 27, 2018