We can often be swayed by changing trends, new vulnerabilities or attack vectors, or indeed internal differing opinions about areas of major importance and focus.
I believe that one, if not the most important strategic decision a company can make in security, is to protect its “crown jewels”. Sadly, I fear some organisations overlook this, either by attempting to achieve compliance to a standard too early (ISO27001, for example), by spreading themselves too thinly across many areas of security, or simply misunderstanding what needs to be protected and why.
For example, you should consider, is it worth us spending thousands of pounds on a secure coding training course for our developers, if we haven't hashed the passwords for our users on our database?
Moreover, is it worth us investing in the latest and greatest endpoint protection if all of our user personal information is unencrypted? Should you really buy a network-intrusion-protection system if the current status quo is that all your database admin passwords are the same value and never changed?
There are some simple considerations to help focus your efforts;
1. Focus initially on the areas that would be of greatest significance to your business were a major incident to occur. Perhaps it's the personal information of your millions of users? Credit card data from transactions? The loss of your website due to a DDoS attack? Internal super-sensitive documentation?
What are the potential incidents, which could result in your business being in the press for the wrong reasons, causing untold reputational damage? What will ultimately cost you the most money and time to recover from? Importantly, how can you best protect your consumers?
2. Try and prioritise what you CAN do, over what you'd LIKE to do. Resource, skills, budget and time will all play a part in restricting what you are capable of doing at any point in time. There are simply always going to be tasks you can't complete or risks you need to accept. You can try and “secure all the things”, but the “things” just keep growing!
3. Don't be taken in by aggressive sales-pitches or jargon/buzzword bingo for products that you don't currently need or can't invest any time in. It's the security equivalent of locking your car driver door with the latest biometric entry system, but leaving the boot open after you've parked it.
You can deal with and recover from an internal security incident. Perhaps it's an isolated phishing attack to your CEO or Board, or a piece of malware that has infected a small number of machines. Or an employee that has inadvertently clicked on a suspicious web link, which your firewalls didn't block.
What you will struggle to recover quickly from, is a compromise of your crown jewels. The very things that your business value most.
Protect these to the best of your ability and the rest will follow.
Contributed by Stu Hirst, security manager, Skyscanner
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.