A new paper from security firm Bitsight Technologies was published this week, outlining 12 steps to differentiate between the perceived and actual security of your company.
Security measures can’t just be put in place and checked off a list; they need to be vetted and verified to make sure they’re the right solution for your business. Here are 12 things Bitsight encourages you to consider as you think about your organization’s cybersecurity measures.
“Number of botnet infections per device over a period of time.”
It doesn’t help to just know that botnets have infiltrated your network. Knowing how many, what kind, and where they are coming from will help you find the security holes they are getting through.
“Number of unpatched known vulnerabilities.”
Hackers know where your vulnerabilities lie. If you know where they are too, you’re much more likely to spend the time and resources to fix them before it’s too late.
“Number of properly configured SSL certificates.”
If your SSL keys aren’t properly accounted for, let alone meeting the required level of security, bad guys can have access to your sensitive company data.
“Amount of peer-to-peer file-sharing activity on a company’s corporate network.”
What happens when an employee is trying to download new music to listen to while at work, but accidentally downloads malware from a fake site? If free reign is given to all of the internet from the same computers that house private company data, odds are it won’t stay private for long.
“Percentage of employees with “super user” access.”
Not everyone needs clearance to everything in your organization. Restricting access to data that would put your company at risk if leaked is just smart security. After all, you wouldn’t give everyone on your block a key to your house just because they’re nearby.
“Average number of days between notification of job departure and elimination of corporate access.”
Organizations typically do a much better job at onboarding than offboarding their employees. When someone leaves your company, what are they taking with them? What could they still have access to from a remote network?
“Frequency by which employee access is reassessed.”
It’s not enough to just evaluate employee data access when they are hired. If someone stays at your company for multiple years, a lot can change both in their workflow and personal life. Employee access should be vetted multiple times, not just during the initial onboarding process.
“Number of open ports during a period of time.”
How many outsiders are communicating with your network at any given time? Are they following the same security standards and using encrypted communications? Don’t forget the massive Target data breach occurred through a third-party vendor.
“Percentage of third-party software that has been scanned for vulnerabilities prior to deployment.”
Scan your software before you put it on every computer in your network. This should be a security no-brainer.
“Frequency by which a company reviews its entire list of suppliers and vendors and designates those that are critical.”
You should know which outside parties your company is working with. But you should also know what kinds of access they have to your company - and how sensitive that data is.
“Frequency by which a company verifies its vendor’s controls."
Once you know what level of access each third-party has within your organization, that access level should be vetted and verified on a regular schedule.
12. “Percentage of critical vendors whose cybersecurity effectiveness is continuously monitored.”
A security breach can occur at any moment - and it doesn’t take long to devastate a business. Make sure your software is constantly monitoring; not just testing “once in awhile”.
Even if you have numerous security measures in place, it’s still good practice to evaluate what it’s doing and how it’s actually performing. If numerous employees or teams within your organization are in charge of different security implementations, it’s especially important to make sure they are communicating with the right amount of knowledge - and often.