You’re probably being inundated with Top 10 lists for the new year. This list is not the same. Our security and compliance experts have worked together to identify the initiatives they feel are the MOST important for the new year – no fluff. These are based on industry research, customer feedback, and what’s ultimately impacting your day-to-day security environment.
- Identify your most vulnerable assets, processes, and data. Work down the list and start securing your highest priorities. Even if other distractions arise throughout the year, you’ve mitigated your most substantial risks. Start on this as soon as possible – compromise could be around the corner.
- Implement a Security Awareness Training Program for your organization. Many of today’s breaches can be avoided if end users, engineers, and management – namely the entire organization – are aware of the methods hackers use to gain entry. The more aware an organization, the more likely they are to recognize intrusion attempts when they see them.
- Patch ALL endpoints and devices, especially network appliances (routers, switches, firewalls, and load balancers). We find that most IT departments focus on patching Windows systems, but rarely update and patch the network equipment. In 2015, take time to patch it all.
- Consider a move toward a least privilege access security policy. Only grant employees the minimal access needed for their specific job function. To effectively implement this policy, gain a solid understanding of which users/groups need access to specific applications and systems. While it may take longer, least privilege access provides a significant decrease in attack risk. A risk most are not willing to take.
- Mitigate the risk of breach by leveraging detective controls. If you already have a breach incident response plan in place, maintain it and adhere to it. If you do not have a plan in place, it is absolutely critical to develop one.
- Governance, risk, and compliance (GRC) tools have evolved and are highly effective at controlling your environment. They also help measure the value of the IT and security departments when reporting to executive staff. Start evaluating the leading GRC tools, like RSA Archer, and implement.
- Conduct security health checks to ensure the security tools you already have in place are properly configured, deployed, and monitored.
- INVEST in security. It is cheaper than the aftermath of a breach. We don’t mean just purchasing every security tool available – it means investing in developing a plan that maps to your business requirements, properly leveraging existing resources, and closing any gaps by forming an organization-specific security solution.
Vid Sista | Security & Mobility Practice Director
Brian DiPaolo | Assessment & Compliance Practice Director