As the COVID-19 pandemic continues to unfold, organizations in nearly every industry are scrambling to cope with demand shocks, layoffs, customer questions, and other fires suddenly in urgent need of extinguishing. Data security, which had been a top C-suite concern just a short time ago, may no longer seem as pressing. However, in the midst of a massive shift toward fully remote work (and with it an increased reliance on cloud-based platforms and tools), security is more important than ever.
Few businesses are equipped to handle another crisis at the moment, and that’s exactly what a data breach would represent. Cybercriminals know that companies and consumers are vulnerable, and they’re moving quickly to exploit vulnerabilities wherever they see them, whether that’s with phishing schemes related to the new coronavirus or other tactics.
In this environment, it’s absolutely critical that technology leaders undertake a thorough security risk assessment to identify security weaknesses before they can be exploited.
Obstacle to Overcome
Most leaders probably understand that data security is still a priority, but conducting a risk assessment is no small undertaking. The biggest challenge for most organizations is identifying the right personnel to lead the effort and ensuring all constituents are aligned. If the CEO and CISO aren’t involved, the exercise can quickly slide off-track or fizzle out. Infosec, compliance, centers of excellence, and other stakeholders should receive clear roles and responsibilities throughout the process.
Moreover, too many business leaders view a security risk assessment as a one-off project, when it’s actually an ongoing exercise that should be conducted at a regular cadence. Without follow up, long-term success is impossible to obtain in an ever-changing threat landscape. In addition to personnel and process, there are three key elements of a successful security risk assessment.
1. Security posture
Conducting a security assessment isn’t very productive without first establishing a well-defined security posture. You must know what type of information you have stored in the cloud, what information may be stored there in the future, and how valuable or risk-laden that data is to your organization.
Huddle up with your security, compliance, and legal teams so that you can fully understand the implications of storing certain data in the cloud as opposed to on-premise. Using this understanding, you’ll develop a security posture that reminds you where you want to be and why it’s important to get there.
2. Platform alignment
Once you’ve developed your security posture, you’ll need to assess it. This starts with a data-classification exercise, which involves a thorough identification of the information currently being stored within your cloud-based tools and platforms. If your data is highly sensitive, you might decide to introduce database-level encryption to keep it safe.
Some platforms will have features that allow you to get a good sense of your current security stance in relation to industry best practices. The Health Check function in Salesforce, for instance, allows you to see how you’re leveraging session settings, password policies, and other features built into the platform. Take advantage of this, but realize it’s only a starting point. A comprehensive assessment for an application subject to a shared security model includes evaluating your application configuration from several dimensions including data protection, data loss prevention, authorization model, access control, monitoring, and the secure implementation of custom code and integration points.
3. Action plan
After developing your security posture and reviewing platform documentation, you’ll create an action plan. To make your plan viable, you’ll need to ensure that everyone in your organization understands exactly how you’re currently using your cloud-based platform and all the relevant rules and regulations governing usage. You’ll then identify a series of mitigation activities that will help you close any loopholes.
You won’t get there overnight, but aim for gradual progress. In today’s newly chaotic world, complacency is not an option.