....because attackers are not going to wait until YOU are ready for THEM
A well-secured organization is not created in a day, yet there are basic processes and practices that many organizations are not taking that could help them mitigate the risk of a successful data breach. Too often, an organization does not realize that they needed to implement these processes and practices until after a security event has taken place. But, once implemented, these steps can mitigate the risk of a successful attack and reduce potential damage.
Step 1: Clearly Document All Security Incident Response Procedures
Most organizations already have disaster recovery plans for when there is a natural disaster or a severe power outage. However, in most cases, these same companies have yet to make concrete plans for what to do in the case of their network becoming compromised by attackers. An incident response plan should cover everything from what steps the IT staff is responsible for implementing to what security company will be contacted for help with forensics and cleanup.
Step 2: General Staff Need Basic Information Security Awareness Training
All staff within any given organization need basic security awareness training. We teach our children not to wander down dark alleys, yet many organizations are not educating their staff about how to keep themselves and their organizations more secure at home and at work. Simple lessons concerning safe email practices, not putting USB thumb drives they find into their home and work computers, and many other secure practices can make it much more difficult for an attacker to find their way into an organization’s network.
Step 3: IT Staff Must Have Some Security Knowledge
Too often, organizations will hide their network behind lots of hardware with blinking lights and believe that they are protected from attackers. But, in today’s threat landscape, most attacks are directed towards vulnerabilities within the organization’s software and often are undetected by the blinking boxes in their server closet. So, it’s important that some members of an organization’s IT staff have some level of training in what a security event looks like on their network. It’s also important that IT staff have an understanding about what is normal network activity and what is abnormal activity. Is it normal for a terabyte of data to be downloaded to a foreign IP address at 3am? Will any of the devices in the server closet notice that behavior? Will that behavior be logged? Even if that behavior is logged, will a member of the IT staff be alerted to it and recognize it for abnormal behavior? Without security education, an organization’s IT staff may not be equipped to handle malicious incidents.
Bottom Line: Attackers are Targeting Organizations within Every Industry
Aerospace, financial, telecommunications, health care, and manufacturing organizations are all targets for industrial espionage, fraud, and outright theft. Yet, many organizations still have their “heads in the sand” while believing that they are not a target. A web developer I met at a recent conference told me that his large manufacturing company was not a target because the only users of their website were their suppliers. If his view mirrored the rest of his organization, they will be in for a very unpleasant surprise if (or when) they find their bank accounts empty or proprietary data stolen one morning. By documenting all security incident processes and procedures, and also educating all staff about security, an organization can begin to solidify themselves against attacks and start behaving like a secure lion instead of a fearful mouse.