Computer security: a practical approach
Christopher McCarey, Director of IT Security for Gila River Hotels & Casinos – Wild Horse Pass, Lone Butte and Vee Quiva
Vulnerabilities. Data Breaches. Ransomware. In a world where hacking activity takes place every 39 seconds, it’s easy to get caught in a cycle of hunting down the latest cybersecurity threats. But rather than throw your organization into a frenzied panic, consider taking a hands-on approach to your security program to help ensure a solid foundation and mitigate risk.
Regardless of your industry, strategic planning and consistent adherence to a written technology standard are paramount. Start building your cyber defense wall by following these handy steps:
1. Create a strong team
It is important to identify the personnel, whether an internal employee or a security partner, who will be responsible for driving your program forward. Even with a partner driving your security program, a security champion must be identified internally who can be part of the crucial conversations that take place daily to ensure new initiatives are communicated to your security partner.
2. Conduct an internal audit
What are the most valuable and critical assets for your business? It’s the same question malicious actors will ask themselves when they break your organization, whether it’s during reconnaissance or even if an endpoint or process has already been compromised. Yes, even processes are assets in your business, and they should be subject to the same scrutiny that your security team uses to secure systems.
Identify the systems (servers, databases, file shares, cloud services and others) that contain the most critical data for your organization. In tandem, identify the processes that surround all financial transactions.
An internal audit, for example, can help you assess how you monitor logs for malicious activity. You can’t detect anomalies in your environment if you don’t collect logs.
3. Set goals and define policies
The adage “walk before you run” always rings true, especially when it comes to managing vulnerabilities. Setting goals and defining policies will help you navigate through complex challenges as they arise. Patch management is a good example. When was the last time each of your systems received an update? Patch management is an essential part of any organization’s security posture. Your policy should outline which systems are patched, how often they are patched, and how you verify that patches have been successfully deployed. The frequency should be set to an achievable goal at the offset of your security program and reduced as the patch management process matures.
4. Educate employees at all levels
Phishing and social engineering attacks are increasing by 16% each year. Do your employees know how to spot smart hackers? Security awareness training doesn’t have to be an expensive endeavor with painful, rushed deployments across the organization. Start simple with a monthly newsletter that includes important safety tips. If you have the luxury of having a marketing department, partner with them to communicate a memorable message to employees. For example, one of my personal favorites is “Trust but verify”. Remember that people are your weakest link, and when it comes to cybersecurity and handling important or sensitive financial information and data, it’s always better to over-communicate.
5. Assess and adjust
The foundation of cybersecurity is repeatable tasks that, when done consistently, reduce your overall risk footprint. It’s important to make sure that as your journey continues, you audit yourself along the way. Are all new assets classified? Do you analyze new processes as they are implemented to ensure security risks are addressed?
While an internal mechanism should be in place to verify that processes are being followed, a third-party audit by a trusted partner will help mature your practice and make sure nothing gets missed.
Once you’ve mastered the practical security steps, the next iteration should be to select a framework and close any additional gaps in your security practices. Some of my peers may say this should be done first, but I think the higher security frameworks available, such as NIST, ISO, or CIS offerings, should be brought into play once you’ve established the basics.
Deploying a successful security program is no different from deploying any other major project in your organization. It requires management buy-in, dedicated staff, a structured plan and accountability. Your early wins should be celebrated and a positive mindset should be maintained while executing the project. When failures happen, embrace them and move your team forward by documenting those things along the way. Revisit them during your progress meetings and turn them into wins where opportunities for improvement have been identified and successfully implemented. Maintaining a positive mindset throughout your organization towards your security program will ensure the long-term viability of your practical approach to security.