Blog / Improving Your Cyber Security Posture
Is there an easy, cost-effective way of improving your cyber security posture? Yes, but many organizations don’t do it.
When people talk about an organization’s cyber security posture, they’re talking about how prepared that organization is to deal with any cyber security disruption. This covers substantially more than the brand of of antivirus software you have installed or the configuration of its firewall. Your cyber security posture encompasses everything including both hardware and software as well as people’s overall attitude. Is there a way to figure out what an organizations attitude is? Start by looking at the policies they have in place and how the organization enforces them.
If something is important to an organization, it will take steps to protect it, such as implementing rules employees should follow. These can be formally defined with either policies, procedures, or both. Take a look at those and you’ll gain a pretty good understanding of what the organization’s leadership considers important.
Computers have been a part of everyday life in pretty much every organization for decades (and if that makes you feel old, sorry but it’s true; computers have been a major part of our daily work life for easily that long). However, not every organization has bothered to set up policies limiting computer use to a set of approved guidelines. Such an obvious oversight makes it fairly easy to figure out how important (or unimportant) a good cyber security posture is to an organization.
Part of a rigorous security audit includes reviewing an organization’s IT-related policies, as well as talking with employees and managers. This gives a pretty good look into what the organization’s general cyber security posture is. Sometimes a simple question about what sort of security that employees have setup on their work-issued phones will reveal that nobody bothers to setup a PIN or a fingerprint ID. While that’s bad, the problem is usually that there’s no rules being broken. Assuming a security policy covering mobile phones exists, it generally concerns itself with making sure the phone is not lost or misplaced, or that employees don’t run up roaming or data charges. Of course, we’re not out to shame organizations that want a robust security posture and didn’t realize mobile devices should be covered, but you can’t really claim to have a positive cultural attitude toward cyber security if you’re not willing to accept and address the dangers mobile devices can represent.
All that aside, there are three policies that form the basis for a strong cyber security posture:
- Acceptable Use Policy—This probably one of the most well-known IT-security policies, and it involves what is and is not allowed on the business’s computers. Limitations on software installations, safe browsing practices, and generally just not being dumb with internet usage sum up the overall purpose.
- Mobile Device Policy—This is an important policy for any organization but downright vital for any organization that supplies phones or tablets to its employees. It should cover what is considered appropriate use of the device as well as the specific responsibilities of the employees to use them securely. Your mobile device policy should also include sections that cover the use of personal devices while on the job.
- Email Policy—Email is easy to access, easy to use, and easy to misuse. It’s also one of the most common attack vectors for anyone looking to gain entry to organizations. Not codifying how employees should respond to suspicious emails or any other significant email situation is a massive oversite.
The best way to ensure your organization has a strong cyber security posture is to make sure your employees are aware of cyber security issues through extensive training. However, although it’s highly recommended, that’s a long term and expensive solution. Creating policies to govern dangerous online behavior will naturally create a situation where your organization will need to reflect on its security perspective and form the foundation of a healthy cyber security posture, not just because there are now enforceable rules but also because the existence of these policies will raise the employees’ overall awareness. These policies may not be enough on their own, but they are a very good start.
It a sentiment Shakespeare echoes in King John when he remarks “Be great in act, as you have been in thought.”
If you’d like help evaluating or improving on your current cyber security posture, contact one of our TRINUS account managers today and we’ll be happy to set up a consultation.
Courtesy your friendly neighbourhood cyber-man.