Cybersecurity

Cybersecurity

If I was in charge of protect my company’s computer systems, I think I’d have to balance “accessibility” with “security”.

Continuity of operations depends on the computer systems and the network, but protect them shall not hinder business processes.  We can’t - as an extreme example - just decide not using the Web.  This would be safe, for sure, but a company can’t work this way.  And, since you are in the Web, you are at risk.  The question is to take only the risks that worth, and manage it.

The network can’t stop.  File servers and web servers must be available, and its content’s integrity must be granted.

We must always keep in mind that all customer data, and the company’s intellectual data, which together composes one of the most valuable assets, are stored into and are accessed thru this IT infrastructure.  This is vital information, this is sensitive information, and from its integrity and confidentiality depends our company’s survival!

I would start by hiring specialized personnel to manage my IT infrastructure.  These resources should be both internal – my own staff – and external – a specialized consultancy.   

I want internal resources because they’ll be aware of my business peculiarities, my critical points, and so on – and probably more strongly motivated to run the extra mile to protect the company than an external consultancy would be. 

An external consultancy, by contrast, will bring to the table problems, kinds of attacks, which they faced with other customers.  Also, they’re constantly searching and assessing new security methodologies and technologies.

My IT Security Manager (or Network Admin, or whatever you’d like to call the “Infrastructure Security Guy”) would be in charge of building a Security Policy, implement it with the best suited technology, and assess and review it continuously.  The external consultancy would support all these activities.

Of course, the best security police is worthless if the regular user is not committed to not compromising security.   If a user writes his password and glues it in his monitor, no security policy can work.

I would ask my IT Security Manager to define, technically, a Security Guide for all users.   

Then I would ask my Human Resources department to review it and – without changing any technical point – make it as readable and engaging and persuasive as possible.  Being aware of this security procedures and policies would be mandatory to all new employees.

I would also use my external security consultancy to act as a “mystery shopping consumer”, i.e., trying to “fish” sensitive information, anonymously, either using technologies and/or “real world”, “physical”, approaches.  This would help to review and enhance our security policies and procedures.

Last, but not least, despite the fact that in Brazil most big companies are using contractors for cleaning and as security guards, I’d not.  I want all the personnel with access to company buildings – mostly out of business hours – being actually part of the company, part of the team.  I want them hired, trained and audited by the company itself.  I want them knowing the people they work with, and being known by them.  Contractors would be a security fail, in my point of view.