IT security events are the stuff of nightmares for security professionals. All your finely tuned procedures and systems fail. Then you have to scramble to define the problem, hire outside consultants and answer difficult questions from customers and managers. The reputational damage from IT security events includes fines from governments, lawsuits and lost customer trust. You need to take a proactive approach to avoid IT security events. Use this multi-phase strategy to shore up your defenses with better passwords and IT security habits.
Phase 1: Conduct an IT Security Assessment
Merely ordering the IT security department to deliver better security is not helpful. There are a thousand ways to improve security. Where should they focus? Which improvements will deliver the best return? Fortunately, you do not have to guess. You can get the answer by starting with an assessment project.
To find the security problems in your organization, we recommend internal analysis and external analysis. First, start with your organization’s internal situation, since that is the easiest to assess.
Assessing your current IT security
- IT Security Monitoring Reports. Review your most recent quarterly and monthly monitoring reports to see which threats are hitting the organization. If you see threats marked as yellow or red, you may have a high risk of suffering an IT security event. While you review reports, examine your access management KPIs as well.
- IT Security Strategy. Take a hard look at your IT security strategy and ask yourself if you have the resources, staff, and tools to fully execute it. A security strategy that is not supported by resources to execute will only give your leadership false confidence.
- External IT Security Reports. Some companies hire external experts to conduct penetration testing and other testing activities to look for problems. However, these reports generally only detect problems – they do not fix them. Therefore, if you have open security recommendations, it is time to work at fixing them.
- IT Security Training Program. Review the current IT security training you offer to employees. The best-in-class programs provide employees with security simulations such as phishing emails. A purely lecture-style IT security training program may not give employees confidence to face threats.
- IT Security Policies and Procedures. Your policies and procedures need to be updated and monitored for enforcement regularly. If your policies have not been updated in over a year, we recommend updating them as soon as possible.
Now that you have a good understanding of your IT security situation, let’s change focus on the external world. We are going to look for threats, technologies and industry trends that may impact our organization.
- Review IT Security Events In The News. You may have a glancing familiarity with security events in the news. Your next step is to take a closer look. Read articles like The Biggest Cybersecurity Crises of 2019 So Far. Ask yourself: what weaknesses drive this type of situation? Was it a problem with managing user access? How could better passwords play a role?
- Review Emergency IT Security Threats. New threats hit the marketplace every month. You might be able to detect and stop phishing threats, for example. What about internal fraud risk from former employees of your organization and suppliers?
- Research New Security Tools and Technologies. So far, we have looked at the threats that come from the external world. That’s just the beginning. You can also save time and money by leveraging new security tools. For example, Password Station helps you to enforce your password security requirements systematically throughout the company.
- Increasing Technical Complexity. Internet of Things devices and cloud services are becoming standard at many companies today. Unfortunately, traditional IT security event prevention and detection tools are not keeping up. Assess the degree to which innovative technology is not covered by your IT security.
At the end of this analysis project, review your observations. You will probably find a large number of areas to work on. That is a natural outcome since IT security challenges are continually evolving. However, you need to make choices about where to focus your energies to get the highest return on your efforts.
For each potential security improvement, ask yourself three questions:
- What is the likelihood of an IT security event occurring if this change is not implemented?
- What would be the impact (e.g. reputational damage, fines, etc.) of IT security events occurring if this change is not implemented?
- What is the cost in terms of effort and resources to implement this change?
You will probably find password management is a critical area on which to focus. Let’s carry that example forward to the next step.
Phase 2: Implement a High-Value IT Security Improvement Project
Based on your analysis in Phase 1, you decide to focus your IT security event prevention efforts on one improvement: better passwords. To implement that change, you need to engage employees and make passwords easy for them. Let’s address both points in turn.
Engage Employees To Improve Password Behavior
IT security starts with improving awareness. When employees understand the critical role robust passwords play in the organization, they will be more likely to follow your requirements.
Empower Employees By Offering Better Password Tools
Simply asking employees to “do better” with passwords will only carry you so far. You also need to recognize that most people do not think about their passwords that much. Therefore, you need to make password management easy. What if you could offer 24/7 reliable password administration? You can make that happen this month by implementing Apollo, a specialized IT security chatbot.
Take Your First Step To Better Passwords Today
Delivering better passwords is a crucial technique to prevent IT security events. By using identity and access management tools, you can enforce stronger passwords throughout the organization. By going through the analysis steps we’ve laid out, you can also find other security gaps to address. Just remember to prioritize your findings and solve one gap at a time. By continuously improving IT security, you will make security events much less likely.