Business presences and processes are increasingly moving to the cloud, with the result that web-based services and infrastructure are becoming more and more appealing as targets to criminals. Symantec, who issues a yearly threat report, notes that zero-day vulnerabilities, personal record thefts, spear-phishing attacks, and other threats are on the rise.
Many businesses report having insufficient security measures in place to protect against attacks. These six principles provide a solid start on a cyber security strategy:
- Keep cyber security policies current. As the online environment evolves, so do threats and vulnerabilities. A security policy which is sufficient to protect a business one year may be woefully insufficient the next. Security teams should be empowered to stay on top of new developments in cyber security, and to implement responses at their discretion.
- Security staff should be rigorously trained. Cyber security is a complex, quickly evolving field. Training should be available for security professionals to recognize and evaluate threats and interpret the changing security field.
- Insurance should be a company investment. Cyber insurance can provide additional resources to a company facing a data breach or other cyber attack, and can mitigate costs associated with recovery and investigation if an incident should occur.
- Prevention planning should be a priority. Businesses should plan to be proactive, not reactive, in maintaining their digital security. Cyber insurance companies and external security resources should be chosen to fit the business’s specific needs, growth plans, and threat history.
- Security should be in effect no matter where data is stored. The security precautions for an on-site server and a process or application running in the public cloud are different, and each one is essential. Even if all business-critical data is stored on secure private servers, an attack on a business’s public cloud resources can interrupt customer engagement and even cause severe reputational damage. All digital resources should be safeguarded.
- Security should be in effect no matter how data is accessed. A thorough understanding of how customers access data isn’t only important for marketing efforts and web design: cyber security considerations can also differ depending on whether customers access resources on desktop or mobile devices. Where user security can’t be provided for on the business end, users should be alerted to any potential security threats and educated on how best to handle them.
While cyber security is both multifaceted and challenging, these core principles can serve as the backbone for a robust security policy.