2.11.2020 Helsinki

Bilal Al Sabbagh, PhD, Head of Cybersecurity

 

The consequences of a security breach are embarrassing as they mostly have a severe impact on the company’s business reputation toward clients, partners, and employees. When a security incident occurs, there will always be a cost associated, be it financial due to data or business loss, legal implications, and people’s confidence in the company leadership, business, and services. It will take significant time and effort to regain people’s confidence in the compromised company business, depending on security breach and damage. But what can companies do to reduce the risk of a security breach? Here are the top five experts advises to consider for building your company security program:

1. Appreciate the Risk Climate and Landscape of Your Company and Business

As a first step in building an effective security program, the company management needs to understand its business and operations’ security risk climate and landscape. Companies don’t run in isolation but within an ecosystem full of risks, threats, and opportunities. Companies should identify existing security threats targeting their business and the associated risks, existing vulnerabilities, threat vectors, threats motives, reputation damage, and the consequences of any security breach on the company business mission. Performing this sort of threat modeling and awareness will provide the guidance needed to set security targets and controls.

2. Recognize the Assets Owned by Your Company and Business

Every existing company and industry owns assets. Those assets are your employees, clients, partners, data, services, and information technology used to store and process it. To plan and set the right security controls, you need to recognize and classify what assets your business owns and depend on. This classification is crucial to select the right direction for planning your security controls. Moreover. It would be best to establish an inventory of your IT infrastructure, including owners of these assets, classification information, and where they are stored and processed. This asset inventory will not only help you in your threat modeling efforts. It is also essential to understand where and how security controls need to be be implemented to secure access to these assets.

3. Build Security Situational Awareness

It is crucial to stay continuously aware of your IT infrastructure security posture. Performing regular security vulnerability assessment and penetration testing to evaluate and assure the existing security controls will help you stay aware of your company security program performance and quickly expose security weaknesses and identify areas needing improvement. On the other side, don’t forget how important it is to maintain security visibility and awareness of what is going on within your infrastructure and get alerted of ongoing suspicious activities and breaking attempts. Taking a proactive approach toward your company security will save you much effort when responding to security incidents. Security breaches don’t happen suddenly, but only after the adversaries have spent a good time doing reconnaissance to identifying exploitable security weaknesses in your infrastructure.

4. Help Your People Be in Control of Social Engineering Threats

It is a fact that most serious security breaches have started with phishing incidents where authorized individuals are tricked into performing unintended malicious actions to help intruders get their way into the company network. Phishing emails and impersonating telephone calls are still among the most used and successful vectors to get around existing technical security controls companies have installed on their networks and systems. Providing your employees with regular security awareness content and reminding them about good security hygiene helps them develop good security habits. Moreover, technical security controls can be used, e.g., emails digital signatures, and encryption.  Strong multi-factor authentication methods to mitigate security risks related to human factors and avoid being a victim of social engineering methods.

5. Have a Trusted Security Partner On Your Side

Talk to a trusted security vendor who can help you set priorities and support you with your security program. Companies are usually busy focusing on their business to reach their targets. Security posture can ruin with time without being given enough attention and continuous effort to ensure the company stays protected where the Cyber climate and landscape continuously change.

Feel free to contact me for more information!

bilal.alsabbagh@oivan.com