Stop the Breaches! Four Steps to Minimize Security Risks

This article was first published on Help Net Security.

C-suite executives must show leadership in driving a security culture to ensure that their company can resist most – hopefully all – of those. Companies must do their due diligence and appoint a highly trained security team to monitor and protect their data according to industry best practices, by using tools that can help prevent, detect, mitigate, and eradicate threats.

Over the past 40 years, we’ve worked with many organizations, big and small, across a variety of industries to help them improve their cybersecurity posture. Here are four steps that companies can take to create a secure work environment:

Select a C-level champion

Full support from the C-suite is critical to ensure that security and compliance policies are implemented and followed. Beyond the budget requests that are involved in identifying and procuring new technology, it’s important to keep senior management up to date on assessment findings, action plans, deployment of new technologies, and the return on investment.

For best results, employ a separate security organization, one that is not part of IT, that reports directly to the C-suite. While it is paramount that the IT department and the security teams are strong partners in protecting the company, the best practice is to have a separation of duties to ensure the group delivering the IT services is not also responsible for monitoring and managing the security risk.

Conduct a security risk assessment

It’s critical to understand your organization’s current vulnerabilities and the threats it faces to ensure you have the right security strategy in place. This is done with a company vulnerability assessment which is typically performed by a third party. Examining the security posture of every system to understand what is being used and where the risks reside, and having a mitigation plan to protect employee, company and customer data is critical.

For example, if employees are taking payments over the phone, you should leverage technologies available today to receive that information without exposing it to your employees. If you can’t engineer the receipt of credit cards out of the service delivery, are you safeguarding the information in accordance with the Payment Card Industry Data Security Standards (PCI DSS)?

Similarly, if your company is in the healthcare industry, are Health Insurance Portability and Accountability Act (HIPAA) regulations and required data security standards being enforced? Are contractors or other third-parties able to access certain areas of the company’s offices? To mitigate risk, especially when working in a call center, you must be able to pinpoint the places where fraud can be committed.

Design an action plan to address risks

Validate findings and examine new risks as you prepare to mitigate security issues. After completion of the vulnerability assessment, analyze a list of fraud opportunities to pressure test your mitigation plan to ensure your security plan is effective.

Ensure your team trains and gets certified to meet industry information security standards such as the Certified Information Systems Security Professional (CISSP). To ensure full compliance, companies should consider employing these skilled workers who are well-versed in the strictest security standards and protocols, including PCI DSS and HIPAA. It’s also important to create a calendar of independent audits.

Ongoing assessment

To maintain and improve security systems, focus on three areas:

• Employ best-of-breed security technology and align your security operations to industry recognized best practice. Additionally, if you have the development talent, build proprietary security tools to fill in the gaps in technology needed specifically for your company.
• Work with a third-party security expert. In choosing one, make sure that the partner can bring end-to-end security analytics and behavior analysis to detect and stop attacks and insider fraud. Ensure you close out or mitigate all the issues discovered through the third-party assessment.
• Institute an employee fraud hotline. This basic concept allows employees to safely alert senior executives if they suspect fraud or suspicious behavior.

Security should be a priority for employees at all levels, but the leadership and culture change must come from the C-suite to ensure employee buy-in. Limiting risk and ensuring compliance is a 24/7 job, and only companies that can devote the time and resources will build a corporate culture that rests on creating and maintaining a secure environment.