As the COVID-19 pandemic goes on, organizations across almost every sector are struggling to handle sudden changes in demand, layoffs, customer inquiries, and other urgent issues. Data security, which was a major concern for executives not long ago, might not feel as critical right now. However, with the big move to remote work and the growing use of cloud-based services, security is now more crucial than ever.
Many businesses are not ready to face another crisis right now, and a data breach would be just that. Cybercriminals understand that both companies and consumers are at risk, and they’re acting fast to take advantage of weaknesses whenever they find them, whether through phishing scams related to the new coronavirus or other methods.
In this environment, it’s absolutely critical that technology leaders undertake a thorough security risk assessment to identify security weaknesses before they can be exploited.
Obstacle to Overcome
Most leaders probably understand that data security is still a priority, but conducting a risk assessment is no small undertaking. The biggest challenge for most organizations is identifying the right personnel to lead the effort and ensuring all constituents are aligned. If the CEO and CISO aren’t involved, the exercise can quickly slide off-track or fizzle out. Infosec, compliance, centers of excellence, and other stakeholders should receive clear roles and responsibilities throughout the process.
Moreover, too many business leaders view a security risk assessment as a one-off project, when it’s actually an ongoing exercise that should be conducted at a regular cadence. Without follow up, long-term success is impossible to obtain in an ever-changing threat landscape. In addition to personnel and process, there are three key elements of a successful security risk assessment.
1. Security posture
Conducting a security assessment isn’t very productive without first establishing a well-defined security posture. You must know what type of information you have stored in the cloud, what information may be stored there in the future, and how valuable or risk-laden that data is to your organization.
Huddle up with your security, compliance, and legal teams so that you can fully understand the implications of storing certain data in the cloud as opposed to on-premise. Using this understanding, you’ll develop a security posture that reminds you where you want to be and why it’s important to get there.
2. Platform alignment
Once you’ve developed your security posture, you’ll need to assess it. This starts with a data-classification exercise, which involves a thorough identification of the information currently being stored within your cloud-based tools and platforms. If your data is highly sensitive, you might decide to introduce database-level encryption to keep it safe.
Some platforms will have features that allow you to get a good sense of your current security stance in relation to industry best practices. The Health Check function in Salesforce, for instance, allows you to see how you’re leveraging session settings, password policies, and other features built into the platform. Take advantage of this, but realize it’s only a starting point. A comprehensive assessment for an application subject to a shared security model includes evaluating your application configuration from several dimensions including data protection, data loss prevention, authorization model, access control, monitoring, and the secure implementation of custom code and integration points.
3. Action plan
After developing your security posture and reviewing platform documentation, you’ll create an action plan. To make your plan viable, you’ll need to ensure that everyone in your organization understands exactly how you’re currently using your cloud-based platform and all the relevant rules and regulations governing usage. You’ll then identify a series of mitigation activities that will help you close any loopholes.
You won’t get there overnight, but aim for gradual progress. In today’s newly chaotic world, complacency is not an option.