There is a force that is quietly weakening your IT security week after week. Ignore this force, and your organization will suffer. No, we’re not referring to the “dark side” of the Force from Star Wars. Instead, we mean entropy – the tendency of systems to decay over time. You see it in the natural world. You see it with your clutter at home. It even applies to your fitness.
The Long Slide To IT Security Failure
In IT security, most people – especially non-security professionals – focus their attention on the headlines. They read about companies like Capital One bank suffering a security incident in 2019 which exposed personal data from millions of people in the U.S. and Canada. Or they see reports about the increasing pace of hacking attacks like the 2019 hacker report. These events attract a lot of attention and trigger around the clock.
Many of these IT security events are either preventable or would have a much smaller impact with one change — specifically, the discipline to monitor your IT security situation weekly. This weekly habit is the difference between spotting a vulnerability early and late. It is the difference between implementing a simple fix and a complex multi-month tech project.
The Weekly IT Security Habit For The IT Department
Your IT organization has a special responsibility to design and monitor IT security across the organization. The following weekly review habit is aimed at a general IT professional who has IT security as a responsibility. If your organization has dedicated cybersecurity professionals, you have the opportunity to delve into an additional layer of detail.
Habit: IT Security Review (IT Department)
Frequency: Once Per Week
Duration: 1 hour
In the course of your IT security weekly review, we recommend reviewing the following points and subjects.
- Review High Priority IT Security Reports. Your company probably has reports on a variety of security issues. You might have an audit log on access management changes, for example. Make a list of the most important reports and take a few minutes to review them. This is a good way to reduce inactive user risk.
- Research Updates From Key Technology Vendors. You may have dozens of technology providers, but we’re willing to bet that a few of them are critical. For example, you may rely on Microsoft or IBM products to run your company’s core systems. In that case, make it a habit to review security updates from these vendors. If there is an update available, note a reminder on your calendar to assess and implement the update.
- Follow Up On IT Security Gaps. If you have an IT audit function or receive other reports on the state of your IT security, check up on those reports. Are you on track to fix the problems and gaps identified? If not, follow up with the responsible person or determine the next action to take.
When you first start this habit, it may take more than an hour. Over time, you will become more comfortable with it and become faster. If there is still too much for you to review, ask a colleague to join you in the practice so you can cover more ground.
The Weekly IT Security Habit For Managers
The IT department has a great understanding of technology for the company. However, they will not be as well informed about the business activities carried out by each department. That’s why we suggest a simplified IT security review for managers. This process is more process and people-focused since the IT department will look after the technology.
Habit: IT Security Review (Managers)
Frequency: Start with weekly. If no issues are detected over a few months, adjust the frequency to bi-weekly.
Duration: 30 minutes
- Identity And User Access Monitoring. If you ignore user access as a manager, your staff will end up with out-of-date access permissions. They may resort to high-risk behaviors like sharing passwords. Take 10 minutes to ask yourself if your staff need access to new applications or if there are access changes needed (e.g. if an employee left the department).
- IT Security Changes. Monitor your email and the company intranet for new security practices. For example, if the company rolls out multi-factor authentication for international travel, you need to reinforce that practice in your department.
- IT Security Support Needs. What support needs do your staff have in terms of security? This practice involves thinking back to questions, complaints and grumbling. For example, people may say that the two-factor authentication sign-in repeatedly fails for a finance system. Take that feedback and raise it with IT.
The above set of practices is a good fit for a “steady state” department. If your department is rapidly changing in terms of responsibilities or the number of staff, consider additional reviews.
Extra Credit: IT Security Habits For Other Employees
If you have already instituted robust IT security habits in the IT department and managers, your organization is doing well. You are covering the most sensitive areas and high-priority gaps. In some industries, that level of IT security habits is not enough. For instance, technology companies may be concerned about protecting trade secrets like algorithms and software. Banks and hospitals have regulatory requirements to meet. In those cases, consider role-based IT security reviews for different employees.
Example: IT Security Reviews For Software Developers
Security considerations need to be built into your software from step one. To help your developers, consider using a “four eyes” concept to weekly security reviews. Instead of reviewing code and configurations personally, partner with a colleague and review their code for security gaps. This review process will help to detect problems early when they are easiest to fix.
The Way To Make IT Security Upkeep EasierUltimately, there is a limit to how many IT security habits you can develop. That’s why you need to leverage IT security software that takes care of administration. Check out Apollo – the simple way to provide 24/7 password resets to all employees without waiting on hold.