A checklist is NOT security. Period.
Your IT guy may have a list of checkboxes—security related tasks that he’s completed to keep you safe—but a checkbox may give your business a false sense of security.
Checkboxes can be marked by accident or untruthfully. And even if tasks on a security checklist have been followed in a routine manner, it doesn’t mean that something missing (maybe a new threat that uses some vulnerability not checked on your list) to hack and steal or ransom your data.
Don’t get me wrong. Checklists have their place in any IT security. But the problem with an IT Department or IT Managed Services Provider with blinders focused completely on the checklist is that something is due to go wrong. Checklists are wonderful tools to bringing structured improvement to unstructured or undisciplined processes (if your IT Support is not using lists and processes, they likely are working in an unorganized chaos!).
But the problem that IT Support often have with checklists is they rely on them like security blankets. Technicians become so comfortable with checklists that they forget to develop as IT security experts and ultimately become complacent about how they’re handling your security.
In most IT Support environments, where technicians or engineers are inundated with other issues, they only focus on what they had defined months or years ago.
If your IT Support is simply checking a box for security with little or no explanation or evidence of the effectiveness of their security measures, they are likely NOT doing enough in our current cyber climate to protect your business against threats. They aren’t sufficiently monitoring your network or updating your security controls to ensure new attack vectors don’t get overlooked.
More so than simply security checklists of compliance to “best practices”, your IT support needs to instill a security through open dialogue with users about current security concerns and solutions to your business’ specific security issues.
A checklist, one that is likely applied to all users or all clients, is by no means a solution for complete IT security. Cybersecurity is NOT a one size fits all protocol. Cybersecurity measures should be evaluated regularly and assessed for the current threat climate.
IT Security measures need to be evaluated in the context of your business, your users’ roles within the business and how your organization interfaces with the outside world. Your organizational structure, goals and initiatives should all be kept in mind when defining or redefining security processes, procedures and measures taken to keep your data safe.
What your company needs is a security-focused culture that fits
There’s not one “good answer” to the question “what is a good security culture”. The objective of creating and maintaining a culture that understands security threats is to prevent breaches from happening. What culture should do is make security measures easier. Below are a few ways your IT Support should be facilitating your company to become more security-focused.
Security Awareness—informed and engaged users are probably one of the most valuable assets. Cultures that encourage security education—informing users of updated security information—can make securing sensitive data a lot easier.
But most awareness programs in organizations large and small only focus on the “tip of the spear” security—the basic Do’s and Don’ts—rather than explaining common scenarios through real world examples. Many IT Companies may send out email reminders of security incidents, but the majority don’t make it a practice to instill learning with user interactions.
For instance, if your user needed a password reset and wanted the IT guy to email him or her their password, instead of simply saying that it’s company policy to give passwords over the phone, he could explain with a story why emailing passwords is a bad idea. [Note: we I am making the assumption here that you are familiar with some basic security measures. For more information, see our recent post].
Every single connection IT Support has with users are some of the best opportunities to point out memorable specifics to security. Even the small things—when pointed out in a learning-from-your-mistakes context— really can make a difference when it comes to confrontations with legitimate threats.
Showing results of effective security management—it’s natural to forget about even the most important topics like security if they aren’t top of mind. Your IT Team should consider communicating security milestones with your team at large. At very least, reporting the number of days without risk of a breach—similar to the metric of days since last accident at construction sites—can keep security top-of-mind with your users.
When you put new measures in place (for example installing a heuristic firewall that evolves with the changing threat landscape), your users should understand what is going on. They should hear that there are unsuccessful attacks getting in and should be shown how new measures are improving their security—this is especially important when measures need user actions (user buy in) to be successful.
IT Supports need to keep you and your users aware of how they are addressing current security problems. If other businesses are getting attacked (we see daily reports on the news), then what’s keeping those attacks from not coming to your company?
Can your IT Support assure you through explicit actions taken on their end that your business shouldn’t worry about the current attack? That you aren’t a vulnerable party?
If your IT Support DOES tell you you’re safe or that you have nothing to worry about. If they check a box for your security compliance and say they are meeting all requirements, but haven’t given you the detail, how do you know ANYTHING is taken care of? The dirt is in the details.
Are you sure your IT Support is getting security right for your business?
Are they providing you users with feedback and awareness training? Are they giving you an account of specifically what they’re doing to keep you compliant and safe? Or are they leaving you uncertain and nervous that the next attack may be your last?
It you’re at all concerned with your business security, contact us TODAY for a FREE security roadmap meeting to ensure your business security won’t leave your vulnerable down the road.