5 Disciplines of a Security-Minded Company
We have all heard it said: “Security is our top priority!” This phrase has been uttered by virtually every executive and IT professional out there. Nonetheless, several recent security breaches have exposed millions of sensitive consumer records and have us all on the edge of our seats, wondering if our personal information and identity has been compromised.
Data breaches and identity theft are becoming more and more common, and one has to wonder: how many of those breaches could have been avoided? How much of the responsibility lies within an organization’s poor practices, rather than the expertise of good hackers? No company is immune from attack, but security experts agree that most breaches can be avoided with a comprehensive plan incorporating both current technology and a security-minded company culture. Think of the poor IT guy: blamed for a breach that he was powerless to prevent, as it occurred due to poor discipline within his organization.
Does Corporate Culture Play a Role?
Protection from vulnerability comes from more than having sound technologies and procedures, as a company’s culture plays just as important a role in protecting data as the technologies and policies they employ. Any company who works with sensitive consumer information should make security not only a technological priority, but a cultural one as well. Organizations that do will experience far fewer successful attacks than those who focus on technology alone.
To minimize the risk of a successful data breach, we’ve found these five disciplines to be crucial in instilling a culture of security mindfulness in our organization.
1- Create a security-minded culture
Don’t underestimate the power of corporate culture in identifying and exposing vulnerabilities and thereby averting attacks. Alert employees are the first and best defense, because there is always someone at every level of an organization who has unique working knowledge about the technologies and data practices used by the organization.
A security mindset goes deep into our organization, because it starts in the CEO’s office and extends to every member of the senior management team and employee from there. Everyone is willing to abide by the same rules, and the importance of data security is constantly reinforced. In fact, because we are a SOC2 compliant organization, we even consider an unattended, logged-in computer to be a security threat. Our corporate culture has evolved to the point where employees are willing to help each other with fun reminders to secure their workstations when they walk away, even for a short meeting or restroom break. It is effective, fun, and non-threatening, while enabling our company to maintain the highest security standards.
Organizations who make security and compliance a major factor in the development of their corporate cultures will reduce the risk of successful attacks.
2- Use best practices and technologies
It goes without saying that a fundamental tenet of good security is employing the right technologies and tools, whether your IT infrastructure is premise-based or in the cloud. It is important to take the next step to also adopt the very best practices, including constantly reinforcing procedures and behaviors that promote good security. Learn what best practices apply broadly to every IT organization, as well as those that align with your organization and industry. This includes practices like keeping software current with patches and security updates, utilizing malware and antivirus software on every computer, implementing properly-configured and capable firewalls, enforcing safe password practices including multi-factor authentication (MFA),maintaining good backups, using encryption on your website and stored data, etc.There are many resources for learning best practices for organizations small and large. Make sure that time and resources in your organization are dedicated to learning and implementing security best practices.
3- Stay current on security trends, threats, and vulnerabilities
We all know the adage “the best defense is a good offense.” This adage has been applied broadly to many fields of endeavor, and implies taking a strong offensive action to avert future moves against you, as opposed to maintaining a passive attitude that will ultimately mean trouble.
To “go on the offensive” means that you are proactive in educating yourself, your team, and your hired talent on the latest security threats, trends, and vulnerabilities. When you hear about major security breaches, find out what the source and method of the breach was, and assess whether you have the same vulnerabilities. Hackers will “rinse and repeat” because they know that if a tactic worked once, it’s likely to work again.
4- Hire the right talent
Find the right talent to help you secure your organization, and make sure that they are qualified and capable to help you protect your company network and data. Even with my extensive technology background, I would likely have to rely on the expertise of others to properly vet a potential security officer. As an example, my brother-in-law is a security architect for a very large organization, one that you would likely know the name of. He is brilliant and deep, and I can’t keep up with him when he describes the detailed tactics, methods, and strategies of hackers. Personally, I would need help interviewing and assessing his skills for a security role. When you hire talent, find the right people to help you vet a candidate’s expertise, depth, and experience. Make sure your candidates are qualified, as you are asking them to protect your greatest assets: your employees and your company data.
5- Stay compliant and display your credentials
Keep up with and exceed the minimum-security standards for your industry. Get the certifications needed to give confidence to yourself and your customers and display them proudly on your website. Nothing gives customers more confidence than knowing that your organization has a commitment to securing their information and has the credentials to prove it.
As a technology platform provider who deals with sensitive consumer information, we go to extraordinary lengths to ensure that our organization is committed, trained, certified, and compliant with the governing bodies and organizations that are germane to our industry (i.e. PCI, SOC 2,Ei3PA and others). To further demonstrate our commitment to protecting consumer data, our company requires that our developers and programmers take a “secure coding course” annually. We also require every employee, regardless of their position, to complete NAPBS FCRA Basic Certification, which outlines best practices and legal requirements for protecting sensitive consumer data according to the Fair Consumer ReportAct (FCRA), a federal law that regulates the consumer reporting industry.
A Security Mindset Brings Peace of Mind
Nothing brings peace of mind like knowing that you have done everything within your power to protect your organization’s precious data, which often includes very personal and private information about your employees and customers. While no one is completely immune to attack, knowing that you have covered your bases will likely help you to avoid the devastating effects of data and identity theft from within your organization.
ABOUT THE AUTHOR
Kary Burns is the Head of Marketing and Communications for TazWorks, a technology company that provides software, tools and a technology platform to the largest number of independent background screening companies in the nation. He has over 20 years of experience working in technology companies, both in technical roles as well as in marketing and communications.
Learn more about TazWorks at www.tazworksdev.wpengine.com