Armed with knowledge and well thought-out security strategies, companies can anticipate and rectify vulnerabilities and respond swiftly to malicious activity.
Following are the top costly mistakes to avoid:
1. Failure to realize that traditional perimeter security is dead.
Don't misunderstand — perimeter firewalls and VPNs are useful, but only insofar as they serve as a first line of defense. For optimal protection, they must be used in tandem with robust internal security measures — a strategy neglected by many organizations.
2. Failure to protect laptops and home computers.
Companies can be — and have been — burned by lax security policies regarding laptops and home computers. Network intrusion or the theft of an unsecured machine — or one with unencrypted data — can damage an organization's processes, reputation and its customers.
3. Failure to institute effective change management.
It is essential that organizations employ a systematic and thorough approach when keeping track of, for example, operating system releases and patches applied.
4. Failure to recognize the importance of security awareness programs.
Security awareness initiatives will alert employees to the importance of top-notch information security and to the bleak consequences of a breach. By relaying in everyday language the importance of protecting information assets everyone is on the same page with regard to company protocol.
5. Failure to implement a defense-in-depth strategy.
As hackers and malicious code continue to penetrate systems at an alarming rate, a single layer of defense provides flimsy and feeble protection. Defense-in-depth reduces the likelihood that hackers will be successful.
6. Failure to implement a vulnerability management strategy.
Vulnerability management and risk mitigation should be recognized as core components of an information security plan, with attention devoted to system inventory, information management, risk evaluation and response protocols.
7. Failure to get support for security programs.
Without executive buy-in, security programs tend to be disjointed and ineffective. But executives are increasingly recognizing they have a stake in the success of their company's security program, with industry legislation and corporate governance holding CEOs liable for the security of company information.
8. Failure to track key security metrics.
Tracking security metrics allows organizations to gauge the risk level in their environment. Metrics help companies report on their success and also afford them insight into areas for improvement.
9. Failure to realize the value of their information & security reputation.
With system outages, lost data and a sharp loss in public confidence costing companies and governments billions in lost revenue each year, it behooves organizations to ensure that information security remains a top priority.
10. Failure to understand the relationship between IT and business processes.
By aligning business processes with IT, companies can facilitate seamless day-to-day operations. A holistic business approach and unfettered lines of communication allow a business to run smoothly and provide a solid foundation for swift and coordinated responses.
As threats to information assets continue to proliferate and increase in severity, it is essential that organizations stay clear of these pitfalls and work to implement a holistic and well-planned security strategy. But as technology adapts, so should companies. A once highly effective plan, if allowed to go stagnant, is a costly headache and a danger to information assets. By planning ahead, staying abreast of security developments and avoiding the blunders above, organizations reduce the likelihood of a data breach and increase the probability of overall business success.
- Scott Chudy is senior solutions architect for Dimension Data's security practice, North America.