Last month, I was having a conversation with one of my customers about his security strategy. Like most organizations, this has been top-of-mind for him for a while. Designing a security strategy for our modern information technology environment can be complex. At one point, feeling a little hopeless at the job before us, he echoed a common refrain, something to the effect of, “what is the point?” He went on to explain his frustration – there are so many threat vectors to defend against, it feels like an impossible fight, is this really worth the cost? When it all comes down to it, that’s the question that he’s getting to: ‘This all sounds really expensive; can we really justify this.’
In a way, he’s not wrong. There is no 100% guarantee that you can be fully protected from a data breach. However, given the damage that can be done if you are breached, doing nothing is not an option. I could go into “The Real Cost of a Breach,” but that is something that has been explored many times before (including in our eBook). Instead, I’d like to suggest a few steps that organizations can take that don’t require investing in an expensive tool.
What’s your secret sauce?
First and foremost, identifying the data that matters most to your organization – whether that’s regulated data or it’s your crown jewels – allows you to focus most of your security intensity on a subset of your data. This is the first component of a security framework and we’ve written about this in many places, most recently in our Spring Security Summit event recap. This effort will rely on pulling in different parts of the business to understand what is most important and requires the greatest security considerations.
What capabilities do you already have?
Since you’ve identified the most sensitive data, you can scale your security intensity to that subset of data. Now what? Looking at our security wheel below, you can match up some of your existing solutions with the different layers of security:
For instance, you almost certainly have a firewall already. Is it up to date? Are there policies that you can setup to improve its effectiveness? How about your switches? Are you leveraging the built-in security capabilities?
You could also look at Identity – something that’s taken on greater importance in the cloud era – do you have a strong password policy? Are you regularly auditing your accounts, especially admin accounts?
Additionally, beyond the areas that are obvious from the security wheel, many cloud platforms include security features that you may not be using. Office 365 is a great example: Multi-factor authentication (MFA), Data Loss Prevention (DLP), Message Encryption, and Rights Management (RMS) are just a few examples of features that you may own already.
The point is, there are likely components that you already have in-place that could be improved without replacing. There are solutions that you own that include security features that you’re not yet taking advantage of. Is a NextGen Firewall better than your older model? Absolutely. You’ll have to weigh that decision, but there are still steps that you can take to improve your current posture without upgrading right away. Cyber security is never complete. It is always evolving to counter or preempt new techniques. The ideas in this blog post represent one more step in your evolution.
Securing your sensitive data can be complex, but it doesn’t have to be expensive. Hopefully these tips can get you started in the right direction. If you need help diving into data classification or somewhere along the way, email us at firstname.lastname@example.org. We’re standing by to help.