As if the cybersecurity landscape hadn’t been challenging enough, the Coronavirus pandemic has made it even harder to be prepared for the ever-growing number of threats. That’s hardly surprising. The stay-at-home orders that most countries adopted to fight the crisis forced virtually all companies to migrate to the digital realm. For a lot of them, the shift was rushed and mostly unplanned.
And you know that, when you do things in a hurry, chances are you’re going to make some mistakes. Unfortunately, a cybersecurity mistake can be quite costly, so it’s better to patch it up as soon as possible—or better yet, prevent it altogether.
Of course, you won’t be able to do that without a sound cybersecurity strategy. Planning everything related to security is the only way to mitigate the risks to a minimum and uncover the vulnerabilities you’re exposed to after such a hurried transition. Here we left you five essential questions you can ask yourself to see where you’re standing, security-wise, and whose answers will let you better plan your security.
Oh, and if you already had a security plan in place, you’d better check it out as well, as these questions will let you assess your strengths and weaknesses (and course-correct, if needed).
1. “How secure are we?”
The first question is rather exploratory, and its goal is for you to bring all the security assets you already have to the table. This is the starting point for any security strategy, as it will allow you to understand better what needs to be done when moving forward.
So, what should you be looking for? Any security software you have in your digital environment, security playbooks and policies (for training and execution), security-related roles inside your organization, security plans and investments for the future, and anything you can think of that’s related to security. Pay special attention to the partnerships you have, especially if you exchange sensitive information with a third party because those might be vulnerable channels worth exploring.
Once you have the most comprehensive list possible of your security assets, you’ll have a clearer picture of what you have and (most importantly) what you’re lacking. Naturally, the list in and by itself won’t provide you with an indisputable direction to take – you need to ask all the questions before getting to it.
2. “What risks are we exposed to?”
Now that you know your weak points, it’s time to analyze the risks you’re exposed to. You could choose to dismiss a thorough assessment at this point and just adjust your strategy to the more common threats out there. However, that’s the wrong approach. Your security measures should be tailored to your company’s needs, so you can’t rely on a broad or general strategy. While it might help you to follow specific general guidelines, you need to go further.
How to do that? Consider the information you use regularly and how it can fall on the wrong hands. You may have a cloud-based custom CRM on which you store your clients’ data, including sensitive information like passwords and credit card numbers. If you don’t secure that CRM properly, you expose yourself (and your clients) to attacks.
In that sense, you need to think of all the information that could harm you if it were to fall into the wrong hands: intellectual property, custom workflows, private executive data. Again, remember the risks of working with third parties and take that into account as well.
Once you’ve gathered all this information, it’s time to assess the risk associated with it. Since you won’t be able to enforce your entire environment fully, you’ll prioritize which data and channels are more important for you. Also, you could be overreacting to certain threats (meaning that you might worry too much about something that’s too tangential to your company). Thus, you need to find a balance between the risks you can’t accept and those you feel they come with the business.
3. “Are we investing enough in security?”
Armed with the two previous answers, you can now see how far you’re from covering all the security measures you consider essential. Thus, you can answer this question. However, things aren’t as easy or direct. You need to go beyond the “I need to spend some more money on security” mentality. There are other things you need to consider, mainly the ROI and security metrics.
The answer to this particular question is more complicated than it seems. Maybe you could be investing more money in custom security solutions, but after reviewing the risk management projections, you see that it’s not worth the cost. Maybe you find that it’s the other way around and that working with a custom software development company makes more sense for your security needs.
You need to go beyond technology and into its performance. You can have the best security tech in the world but don’t have enough justification for using it in the first place. You can’t afford to throw money and time just because “security is important” – you need to have a sensible approach to it, considering business and economic reasons.
4. “How are we compared to others?”
This might seem contradictory to what we said before in that your security measures should be tailored to your company’s needs – but it isn’t. It might sound like you should be looking to your competitors to plan your security strategy better, but it’s not that. In fact, it’s more about tweaking your strategy by learning from the mistakes others in your field have committed. Clearly, this will play a major prevention role in the future.
For instance, you can analyze similar companies’ security incidents (in your industry, of similar size, that work with the same providers as you) and see what you can learn from them. Maybe you’re making the same mistakes, but no one has exploited them yet. Instead of holding onto a ticking bomb, you should see the remediation measures those companies took after the incidents and check whether they make sense for you.
Doing this is very beneficial and should be an ongoing process, mainly because you can never be aware of all the threats. Staying vigilant is the only way to stay protected, and, for that, you need to compare notes with those in similar situations.
5. “How do we get better?”
The last question is the one you’ve been building up to by answering all the questions before it: what can you do to improve? With all the details you’ve gathered in the previous answers, you should be better prepared to define a proper security strategy and point to a direction to follow. This final answer should consider your current security assets, your company’s associated risks, your risk management approach, your priorities, your investment capacity, and so on.
This should be the step in which you sit down and consider all the variables to lay down later a plan that helps you strengthen your security. In other words, it’s when you make a list of actionable steps you’ll follow after the assessment is done. Will you buy new equipment? Will you develop custom security solutions? Will you put an ongoing employee training program in place? Will you hire new vendors?
You can’t say this process is finished until you come up with this list. Even if you’re fully satisfied with your current security level, you can always define a next step (such as identifying when you’ll be making the next security assessment).
The Challenges Ahead
These are hard times, and the future ahead is filled with uncertainty due to the Coronavirus’s still-active threat. However, that doesn’t mean you can’t make any sorts of plans. That’s especially true for security, one of the most important things you can tackle right now. And that applies even more if the pandemic forced you to accelerate your digital transformation.
But even if you already had a high-profile security plan in place before the COVID-19 crisis, this is the right time to revisit it to analyze its strengths and weaknesses. Given the many challenges all businesses will have to face in the coming months, you don’t want security issues to be hanging over your head while you navigate them.