Unfortunately, some of the most common security breaches are a result of employees accidentally divulging sensitive information. Continual security awareness training and testing will not only protect your systems, but also help your employees identify and avoid attackers utilizing social engineering techniques.
Utilize a basic IT risk assessment and focus your resources on high-risk areas to help you evaluate your security control efforts.
As a business, always identify any and all sensitive or confidential data, make note of where it is stored, and look into the adequacy of the processes protecting the data.
In order to stay ensured that your data is being adequately protected by your vendors, it’s always a good idea to review the security controls they have in place. If gaps are found, you can then take action to correct them before damage is done.
A thorough and comprehensive patch management process allows businesses to protect themselves from newly discovered threats – both internally and externally. It is important to note that in order for this to be effective, all software and systems should be covered.
Data and security breaches often blindside people and organizations, and make it difficult to
respond in an efficient matter. Having a detailed, emergency plan in place will not only allow you
to act quickly and with confidence, but will also provide a blueprint for how to manage:
▪ Containment
▪ Investigation
▪ Legal actions
▪ Public relations
If you haven’t already done so, start implementing network intrusion detection systems that regularly review system logs and activities. This will allow you to investigate any suspicious activity before it becomes a big problem.
Doing so will help you define goals for the organization in regards to information security, as well as provide an outline for how your organization will meet these goals.
A sampling of standards includes, but is not limited to:
▪ Sarbanes Oxley (SOX)
▪ Health Insurance Portability and Accountability Act (HIPAA)
▪ Gramm-Leach- Bliley Act (GLBA),
▪ Payment Card Industry Data Security Standard (PCI-DSS)
As a business, there should always be someone in place who is designated (and qualified) as the IT Security Officer (ISO).
