With new hacks in the headlines daily, every company is at risk. You can't afford to leave data security to technology teams--you must be involved in planning, enforcement and accountability of your company's security strategy.
There are two sides to security: proactive and reactive. Proactive security is about reducing the risk that a hacker will be successful. Reactive security is about how quickly you can isolate and contain a breach in the aftermath of an incident.
Security can be anintimidating topic, filled with complex technical jargon that feels better suited for the experts. But simply by asking five seemingly unassuming questions, you will learn how vulnerable your security is from a people, process, and infrastructure perspective:
1. How often do employees undergo security training?
You've heard the phrase, "old habits die hard". Well, the opposite holds true, too.
If you don't regularly train and test your employees on security best practices, I promise you that they've already forgotten anything you taught them. Schedule training sessions at least every quarter and test at random throughout the year.
Publicize the results of your tests among the team. A little friendly peer pressure can be a powerful motivator to get it right the next time.
2. How many employees share or reuse credentials to sensitive systems?
Your company handbook probably includes some sort of policy that prohibits this sort of behavior (and if it doesn't, fix that now). But theory is very far from practice.
25 percent of employees share passwords, according to the 2016 LastPass Sharing Survey. Unless you can prove otherwise, assume that at least a few members of your team are breaking the rules.
It's your job to design access controls that prevent that possibility, and to generate an audit trail to prove when and where anyone accessed data. In technical terms, that means enforcing access controls that validate every employee and their device.
3. Do you know who made that change?
It's not enough to know who accessed your data. You can't contain a breach if you don't know what was done to the data.
To do that, you must have detailed records any time data is updated, deleted, or exported. Insist that your technology teams maintain logs that include that level of detail.
4. When was access revoked for any former employee?
The easiest credentials for a hacker to compromise are ones that are no longer being used. Don't let sloppy offboarding procedures compromise your critical systems.
Make the offboarding process as convenient as possible by centralizing permissions into a single sign-on provider. With fewer credentials to keep track of, there's less risk that one slips through the cracks.
5. How quickly can you answer these questions?
The time to exfiltrate data during a hack is measured in minutes, according to the 2017 Verizon Data Breach Investigations report. If you can't quickly and conveniently review these records, it doesn't matter how detailed they are; the damage is already done. Make sure your auditing is easily accessible and intuitive to read.
If you're satisfied with your team's answers to these questions, congratulations! You're more secure than most companies. That won't eliminate the risk that you're hacked, but it will go a long way towards encouraging a would-be hacker to find an easier victim.