By Zina Hassel, ZLH Enterprises & ASCII Member
Many companies diligently pursue achieving compliance and believe that their information systems are secure. Unfortunately, this isn’t usually the case. Just making certain that compliance initiatives are in place does not guarantee an optimum security posture. The face and tactics of cybercriminals evolve daily creating an environment requiring continuous monitoring. A safe assumption is… cybercriminals will breach every company, and the question is “how quickly can you stop it?”.
Security and privacy are critical to our businesses and our nation. As an industry, we have responded rapidly, learning and creating solution alternatives from each incident. The biggest problem is that most companies don’t understand the urgency of the problem and we haven’t helped by speaking in a “foreign” language that only industry professionals understand! So, let’s take the first step on behalf of our clients and start with a collection of terminology that has evolved over the last 10 years and make sure everyone understands what they need to do and why.
What’s The Difference Between Security And Compliance?
While there are some overlaps between security and compliance, genuine cybersecurity is much more than compliance.
What Are Cyber-Risk Assessments, IT Security Assessments, Security Audits, Compliance Audits, Performance Audits And Risk Mitigation Reports?
If a security company “says” they provide cybersecurity, exactly what does that mean?
If you search the term “Cyber Security” you will find endless pages filled with companies that offer equipment like firewalls, or security software and reporting for IT companies. Or, you’ll find ads for the big consulting firms like Accenture and Deloitte as well as 100’s of companies with catchy key phrases that don’t tell you exactly what they provide. Here are some of the key phrases you may hear:
What should your checklist include so you can understand all of the elements required to assess and manage the current IT and software ecosystem? You can either work with one vendor or multiple vendors to build the checklist model. It’s never a bad idea to have a disinterested third party involved in the assessment process because an assessment isn’t a pass or fail scenario. An assessment reports on those areas that are working well, and other areas where vulnerabilities may exist and create a recommended risk mitigation plan. Government agencies view assessments as an essential component in being both compliant and secure.
Key Elements Of Ongoing Security And Compliance Plan
Why Should Small And Medium-Size Companies Implement Enterprise Level Security?
The biggest obstacle to having a tough, strong security program is the false confidence that your company is too small for attackers to bother with. Attackers know small and medium businesses are the easiest targets, because there are fewer resources in smaller businesses with most employees wearing multiple hats.
Compounding the problem, experts frequently present security requirements as a confusing, expensive maze causing many companies to lack simple and inexpensive security defenses. In reality, there are a lot of options any company can implement by building a plan, and working the plan one layer at a time.
The key is to take the first step and build a plan. Don’t be afraid to outsource your IT and to have multiple partners provide services based on their expertise. The key is to find a partner you trust to simplify the process; you need to understand why, when, and the cost of certain equipment, software, monitoring, and assessment. Partner with a 3rd party company to perform your security assessment, risk mitigation, and ongoing monitoring… it’s their responsibility to ensure that you have access to the right tools and plan to enable you to keep your company safe and secure.
“But I’ve Already Got A Plan It Place And It’s Just Fine”
That’s actually great news! Having a plan is the first step, but it’s just the beginning. Have you ever performed a security risk assessment? Do you have a Certified Security Officer overseeing the program? Does your plan include written policies? Does your security plan include written goals to manage ongoing risk and an incident response? Do all devices require a login for access to all sensitive data and applications? Do you use encryption?
If you answered “No” to any of these questions, you need to stop and review your risk, start with a Security assessment. You may think you’ve done enough and feel that you’ve spent enough, but your risk of being able to identify a breach and stop it is not assured. Here are some sobering facts:
Ask yourself again, have I really done enough to address both my compliance requirements and my
security posture? Am I willing to bet my company’s future on that position? If not…find a trusted
partner and begin to put those essential safeguards in place!
About The Author
Zina Hassel is President and Founder of ZLH Enterprises and has been a member of The ASCII Group since 2015.
About The ASCII Group, Inc.
The ASCII Group is a vibrant reseller community of independent MSPs, VARs, and other solutions providers. Formed in 1984, ASCII has more than 70 programs that provide turnkey cost-cutting strategies, innovative business building programs, and extensive peer interaction. ASCII members enjoy benefits such as marketing support; educational information; group purchasing power; increased leverage in the marketplace; and multiple networking opportunities. These programs enable ASCII members to increase revenue, lower operating costs, and grow service opportunities. ASCII is the oldest and largest group of independent information technology (IT) solutions providers, integrators and value added resellers (VARs) in the world. Learn more at www.ascii.com.