Sometimes IT Security can be overwhelming.
Overwhelming to the point that there are just too many components to keep track of. Too many recommended security projects to get completed. Too many new hacks and ransoms that make it seem like security is never really working for your business.
As we are starting 2018, I want to go through a way for you to prioritize your IT Security to focus on the most important stuff first.
Before you start worrying about specific information security projects that need to be done—for instance, installing a secure firewall or upgrading your operating system, you should have a well-defined security plan focusing on what is most important to keeping your business safe.
Just like any other business process, your IT Security process addressing security issues should start with planning. Define specifically what needs to be accomplished. If you don’t do this, you might have no way to tell if your security is actually improving.
Your plan should first identify your business’ imminent security concerns. Are you vulnerable to ransomware? Are your users susceptible to phishing scams? Are you using out-of-date and unsupported software? Have you overlooked applying security patches? (If you aren’t sure how to start a plan, consider consulting security experts to help define a business security plan.
Make a list of all of the outstanding issues and plan to address each. Your plan to resolve each issue should include the following:
Define your security concerns—outline each problem with a clear explanation why your business security is at risk. For the majority of business owners, security experts often advice an initial 3rd party security audit to understand what exactly are your major security vulnerabilities before doing anything with any business Security improvements.
Identify what each security concern affects—is the security vulnerability related to an update for an accounting program? Will it compromise your entire staff’s Social Security Numbers? Or do you have a vulnerability that will merely impact your office supply orders? Understanding who is impacted and what the implications mean for your business operations is critical to understanding how pressing the issue is.
Have a defined plan to address each issue—your IT Support team should be able to address each concern with actionable tasks. Maybe they need to patch specific software, maybe they need to upgrade your server, perhaps they need to better train your users on how to safely use technology. Whatever the resolution, your IT Support team should document the specific process they will need to undergo to reconfigure issues on your network, and should be able to accurately determine the amount of time and other costs involved in the fix.
Define how complicated each task is—based on the resolution plan for each security concern, your IT Support team should determine how long or complicated a fix would be to better protect your business. Come up with a simple designation (Easy, Medium, or Hard) or predict the number of man hours each resolution would take to help decide what to tackle first.
Fixes or projects that address the highest risks to your business should be given highest priority!
Just because specific fixes address known security risks doesn’t mean that you should automatically prioritize them at the top of your list. Your IT Support should ideally be identifying the biggest problems—those that severely impact management of your business security or drastically reduce the costs of security—first.
Pro TIP: Make sure that your IT Support isn’t wasting money and time on repetitive security tasks. Often, separate security concerns may be related to the same core security vulnerability.
Here’s one example: You may decide that you want to create a security policy so that users change their passwords every 90 days. Your IT Support team proposes to enforce a policy to monitor and enforce password changing 4 times a year.
BUT your support may also be working on a project related to authentication between your Windows domain and server. This project includes a way to automatically enforce incremental user password changes, resulting in less complaints about expired passwords and greater user independences.
If you hadn’t listed out your projects or concerns and identified how projects or security issues relate, you may have wasted time and money implementing two redundant projects to address one core problem. Clean up your list to remove any redundant issues prior to implementing your 2018 security initiatives.
Determine which concerns are most pressing—not all security risks are created equal. For instance, your unpatched security vulnerability that allows a hacker to get into your client billing data is likely much more important than a vulnerability that may allow access to your marketing opportunity database.
While all of the security concerns may be important, there are likely some that have bigger impact on your compliance (remember that PCI Compliance requirements are changing next month!) and overall business security.
Implementing what’s most important first—after making sure security issues aren’t repeated on your list, come up with a timeline when your IT Support can implement each security concern. Be sure to understand costs involved with each project to best know how to budget for
Most businesses often define this list of concerns along with a remediation plan by seeking a 3rd party security assessment.
While there is no absolute right or wrong way to prioritize your security projects, there are certainly concerns that arguably would have the most bang for your investment. Contact us TODAY to figure out how to best secure your business for 2018.