Measure your organization’s security posture to ensure protection

The data companies have in their digital networks multiplies daily. And as the workforce becomes increasingly mobile, more and more devices seek to connect to that data via the internet, creating significant vulnerabilities for companies.
“Too often business leaders don’t understand the nature of the data that’s sitting on their network,” says Joe Compton, a principal at Skoda Minotti Risk Advisory Services. “Companies that fail to do comprehensive risk assessments have no way of understanding the potential business impacts if that data were to be stolen or rendered inaccessible.”
He says that’s why it’s important that organizations adopt an IT security framework (e.g., PCI, HITRUST, NIST sp800, or ISO 27001) to protect sensitive information from those who seek to profit from it illegally.
Smart Business spoke with Compton about what companies should know about the data they keep and how to protect it.
How do businesses determine what security standards to adopt?
Before selecting a security framework, companies should first determine what data they have and where it is, then assign some level of risk to each data category.
Data should be classified by its level of sensitivity. The highest level of security should be assigned to data that would be most damaging to the company or its clients/customers if it were to be captured by a bad actor. Another aspect to data classification is the importance of its availability. What data must a company access daily to operate?
Consider how threats could affect the integrity of data processing. These could alter a transaction or alter the way other information is processed in the system so that it becomes inaccurate — an attack that could affect bank statements or payroll.
Once a company understands the types of data and the risks the loss of each poses, it can select a security framework. Adopting a framework of controls gives the company the ability to audit and test its protections and understand how network threats are being handled. It also provides management a decision framework when considering enhanced security controls.
The simplest control framework to implement is PCI DSS (Payment Card Industry Data Security Standard), which is designed to protect credit card holders against the misuse of their personal information. Adhering to this standard doesn’t guarantee that a company’s data will be secure, but it does offer a sound framework of best practices to reduce unmitigated threats.
How can organizations feel confident that their security is adequate?
Once a company has implemented a security framework, it should conduct security testing to expose flaws. At a basic level, this can be done as automated, weekly vulnerability scans that alert management to discovered weaknesses and advise how they can be remediated. It’s also a good idea to conduct regular penetration testing to ensure systems can’t be altered or otherwise tampered with.
It’s also important that every organization achieves some type of segregation of duties. There should be adequate testing of user roles in the system to make sure users can’t escalate their privileges and access otherwise restricted information.
What is the process to make sure these benchmarks are being met?
It’s critical to conduct regular security and risk assessments, either internally or through an outside provider, and make sure internal logs are being monitored for activity.
If a company has the resources, getting an independent, third-party opinion on a regular basis is always good.
The third-party provider’s job is to identify vulnerabilities and deliver ideas on how to make the environment more secure. Established and reputable third-party providers are likely in hundreds of environments every year, which gives them a broad perspective on the types of threats that exist and how to stop them.
Companies must be diligent when monitoring and testing their networks. If a breach or attack does occur, it’s better to know within 24 hours than six months later. It’s not about perfection, but rather mitigation. That takes a well-defined process and a cohesive plan to manage.
Insights Accounting is brought to you by Skoda Minotti