Drive: NH | Iussue 6 2019

Cybersecurity: Your Best Company Policy JOHN A. BOULEY PRESIDENT, AWS-CSA-A, MCP, MCSBS 2MB CORP., DBA NATIONAL SOFTWARE SYSTEMS How To Build A Culture Around Security It is much less expensive to prevent a data breach than to have to mitigate the damage afterward, but you have to understand human nature before you can successfully protect any company. Any strategy you implement has to acknowledge and work with the peo- ple who are responsible for carrying out the program because their nature and actions will determine whether or not you succeed. You need their help to implement good security policies. With that starting point in mind, your strategy should include the following key aspects: • A culture of security that includes everyone is the only way you can succeed in defending your organization against online threats. • To start creating the culture of security, everyone needs to understand they have a role to play in making sure their company does not fall victim. Emphasize the fact that security is part of everyone’s job. That includes administration, sales and executives. • Implement a training program that focuses on threat awareness. Employees are unlikely to prevent an attack if they don’t recognize what it is. • Create a secure development lifecycle. You can apply this principle to any internal process, not just software creation. • Segment information and only give relevant information to employees when they need to have it to do their jobs. Segmenting information helps prevent accidental or malicious disclosing of information. • Create a program to reward employees who perform well and do the right thing when it comes to security. • Create an open-door policy between all levels of the organization that empowers employees to point out flaws in the plan. • Make security fun. For example, you could add games to the training and imple- ment an award system. One important concept I would like to get across is that “security is porous.” Even if you implement the best industry-standard hardware and software to prevent a breach or malware, you won’t know whether your work is effective until you test your defenses. Your protections are only theoretical until that happens, but most companies don’t look for the holes until it is too late. To uncover the holes, start pushing and applying pressure against your security systems. D R I V E 22