Your organization is at risk of a cyber intrusion. That’s not a reflection on your firm’s shortcomings, nor a statement of some unusual antagonism it engenders in those who’d wish to do you harm. It’s a simple fact of doing business in the modern era. Every enterprise, no matter how small or seemingly unimportant, is vulnerable to compromise.
You don’t have to accept your fate, of course. You can take steps now to strengthen your cyber defenses before you’re compelled to do so in the wake of a compromise.
And if you’ve already experienced an intrusion, there’s much you can do to reduce the risk of another incident. That’s why CIL Trust and Asiaciti Trust made targeted investments to limit their cyber vulnerabilities in the wake of the Pandora Papers, a sophisticated data intrusion that affected more than a dozen international fiduciary firms and law offices. It’s never too late to take security seriously.
Ready? Make these six cyber security investments now.
1. Bring IT Security Talent In-House (Or Retain a Trusted Third-Party Provider)
Your days of skating by with the occasional help of remote IT contractors are over. Or at least, they should be if you’re serious about taking the next step in your cyber security journey.
There’s nothing wrong with using IT security contractors, of course. Many are quite good. But you need to devote more resources than they can provide — and you need them on call at a moment’s notice to assist.
That’s why many growing organizations build out internal IT teams early, before it seems as if there’s enough work for them to do. If you’re not ready to take this step, retain an outside cyber security vendor that guarantees a real-time response.
2. Develop a Crisis Response Plan
A robust crisis response plan helped Asiaciti Trust and CIL Trust Limited bounce back after their data incident, and it can do the same for you. Don’t mistake it for a “non-cyber” investment, either; a comprehensive crisis response plan should cover post-incident analysis, remediation, and technical messaging. Make multiple iterations of your plan to cover different cyber compromise scenarios.
3. Scale Up Your Data Backup and Testing Infrastructure
You should be backing up your organization’s entire digital footprint at regular intervals. If you don’t have a scalable solution for this — both cloud-based and physical on-premise backup — then it’s time to implement it.
While you’re at it, scale up your digital security testing infrastructure as well. You need to test not only your data backup solution (to make sure you’re actually saving the data you need to save) but your threat detection and neutralization capabilities as well. Review these best practices for IT security testing if you don’t know where to begin.
4. Set Minimum Security Standards for Your Employees and Contractors
Hold your employees to strict digital security standards, as expressed in a list of directives that everyone on the team needs to follow. Don’t make it personal; stress that it’s table stakes for a connected organization.
Go further and hold your firm’s contractors and vendors to the same tough standards. Many massive data incidents, including the Target and Home Depot hacks of the mid-2010s, used vendors with poor security standards as vectors. Don’t repeat their mistakes.
5. Reduce Employee and Contractor Permissions
Minimum security standards aren’t enough on their own. You need to make sure your employees and contractors don’t have access to systems and data that they shouldn’t — nor higher-level permissions that could enable them to manipulate those systems and data. Operate under the “minimum necessary permissions” principle at all times.
6. Expand Network Monitoring
Finally, make sure you know what’s happening on your network around the clock. Carefully monitoring your users and gateways could mean the difference between discovering unauthorized activity early enough to stop it in its tracks and learning that you’ve experienced a massive data incident days or weeks after it’s over.
Is Your Enterprise Secure?
Be honest. It’s okay to admit that you’ve got some work to do. And we’ve outlined some key enterprise security to-dos here.
Will knocking all seven of these items off your action list this year make your firm impervious to digital threats? Hardly. This is just the appetizer course — the low-hanging fruit, the table stakes, the must-haves.
You can and should do a lot more to protect your organization. And you’ll want to do so in concert with in-house and external information technology experts who can analyze your unique vulnerabilities and recommend targeted investments to address them. A cookie-cutter approach is not appropriate in an increasingly perilous digital threat landscape.
Here’s to getting it done — and to sleeping a bit easier.