The world has changed, and the environment in which we live in is threatened. IT professionals and leaders ought to discover creative ways to leverage their resources and better defend against cyber attacks. It is a tough call to balance the cost of IT security operations against the risk of a security breach. CISOs and CIOs are rarely appreciated when everything is going on well; instead, they face the wrath of the public when a security incident happens, despite their best efforts using limited resources and budget.
The right balance between innovation and the need to control risk requires a comprehensive security strategy that includes policy measures, processes, and technology. Below are the basic security areas that CIOs should include in their operation.
Passwords are the currency of the digital era: people use them to log into their emails, bank accounts, online forums, social networking tools, banks, and credit card accounts among others. People need to know that poor or weak passwords put them at risk. Password complexity is directly related to password security.
Advanced hackers use programs that generate passwords using combinations of personal information and are capable of many login attempts. Since we live in times when almost everyone has become an identity theft victim, taking a clear-headed approach to password security and complexity is a big part in controlling cyber theft.
The majority of the information we have is stored on a computer software or program. Physical threats are common, and it would be a mistake to assume that it is the only threat. CIOs can take some measures to reduce physical threats:
- Know your neighbors
- Review how you protect entry points
- Install surveillance gadgets
- Protect network cables
- Lock network devices like routers, servers, etc.
- Secure your access points when using wireless networks
Information security empowerment
Businesses face many external and internal digital threats that can corrupt hardware and compromise the security of data. Your intellectual property or private date could be used in fraud or cyber crimes. Therefore, CIOs need to educate employees on how to prevent themselves from phishing, online scams, and pharmers.
Managing incidents and respond
Sometimes, when two similar security incidents happen in two different locations, you need security intelligence to link them so that patterns that may indicate a potential threat does not go unnoticed. A company needs to have cognitive analytics and automated response, which includes creating an automated and unified system to enable a business to monitor its operations and respond fast.
Building a risk-awareness culture
Anyone can be an infection point for a business, whether it’s from clicking a suspicious attachment or plugging in the wrong USB stick. The effort to create a secure business must be holistic. CIOs should build a risk-awareness culture that involves defining the risks and goals, followed by education.
The technical ecosystem of data usually includes third parties such as vendors, intermediaries, and suppliers. Insecure practices in third party companies or networks connected with a business can create exploitable security loopholes. The best starting point is listing all third parties that a firm is transacting with and prioritize this list based on the level of information overlap and the critical nature of the information. By doing so, the company can proceed to look at the security measures the third party has in place and take the appropriate controls.
It is important to respond quickly to a security incidence to detect and prioritize security threats. Serious events require a quick response from the senior security analysts. They must employ such remedy actions like file quarantining, blocking an IP address, or wiping a laptop. The effective incident response needs security experts to be available on a 24-hour basis, although the case could be different for institutions with a dedicated CSIRT team.
Controlled network access
Policing would be much easier if each vehicle in every city carried a unique radio tag lined with a sensor. The same concept can be applied to data security. Firms that channel registered data through monitored access points can have a far easier time spotting and isolating malware.
Managing information assets
Information assets include all equipment that can be used to generate, manipulate, or store information. Such assets include hardware, including computers and flash disks, internal and external databases, and physical faults. Businesses must keep an inventory of all these assets and a lay out a clear plan for ensuring their safety. The plan has to be communicated to all stakeholders that manage or handle these assets in their day-to-day activities.
Latest posts by David Chou (see all)
- It’s time for data center transformation in health IT - March 14, 2017
- Digitization and consolidation of quality observation data - February 7, 2017
- Why the CIO should take the ‘digital’ lead - January 17, 2017