Imagine if an invisible thief could break into your home and start stealing your possessions. That’s one of the threats posed by inadequate IT security. The pain and loss of poor IT security practices cost a great deal.
Let’s illustrate the scale of the IT security challenge:
- The average cost to a company was $3.5 million in US dollars (2014 Cost of Data Breach, Ponemon Institute)
- Criminals stole $45 million from Rakbank and Bank of Muscat in 2013 by breaching ATM card security in 2013 (American Banker)
- In 2014, Sony paid a $15 million settlement payment in the wake of the 2011 hack of Playstation (Engadget)
Clearly, IT security failure are expensive. For many in the technology community, the default reaction is to invest in security software and hardware. Better security technology is absolutely vital. Technology is part of the IT security puzzle. Training staff on IT security best practices is arguably even more important to securing your organizations’ information assets.
The following projects are excellent ways to reinforce IT security. Best of all, they require little to no money to implement. To experienced security professionals, these may seem like basic ideas. However, I challenge you to ask yourself: is my organization successfully implementing these ideas?
IT Security Project 1: Organize a security briefing For your department
Knowing is half the battle. To improve IT security, employees need to understand the fundamentals of security. Here are some starting points for an introductory security briefing:
- Password Basics: Recommend changing corporate passwords every 90 days or more often.
- Caution Against Unfamiliar Software: Remind your staff that installing new software can increase IT security risk. For some staff working on highly sensitive activities, consider preventing the installation of new software.
IT Security Project 2: Implement a system access review
How many different applications, systems and IT resources does your company have? Staff at small organizations typically have more than half a dozen logins to manage. Follow these steps to improve your risk management relating to system access:
1) Create A System Access List.
The first step is to ask each employee to list the applications, systems and other resources that require a login. Also ask them to list the reason they use a given resource (e.g. Finance System. Use: Prepare quarterly financial statements for management).
2) Identify Access Rights For Elimination.
Over time, job responsibilities shift and evolve. Use this step to ensure that your IT security keeps pace. Using the system access list created in step one, evaluate whether there are system rights that can be eliminated. For example, if a sales representative resigns from the organization, it is important to eliminate their system access rights as a proactive way to prevent information loss.
3) Schedule An Annual Review.
To maintain IT security, I recommend an annual review of system access rights and privileges. Large firms may already have this requirement in their policies. Ask yourself about the last time you implemented a review. If you skip this step, your IT security will gradually deteriorate.
My question to you is: What is one critical behaviour that improves your organization’s IT security?
