The IT security landscape has been steadily changing since as early as 2010. Over the last few years, the pace has increased exponentially. This acceleration can be attributed in part to the COVID-19 pandemic. But even before that, there was an increase in frequent news of major security events. Businesses are realizing that security is much more complex than just having the current anti-virus.
Any business that drives revenue using technology, including small and mid-market businesses, should prioritize IT security. To do this, first, it’s important to understand some of the major foundational changes that have occurred.
Risk has expanded from an individual to an organizational level.
In the past, security threats were referred to in specific terms (for example, “viruses” and “malware”). These typically affected a targeted individual. The biggest risk to the business was loss of productivity. “Bobby can’t work today because his computer was infected with a virus”.
Today, threats take many different forms and there’s no clear-cut identifiable “thing” to defend against. Terminology has changed to a more general and comprehensive term: “threat”. “Threats” can impact the entire organization, dwell inside business operations, and are highly opportunistic. With the highly varied nature of threats, it has become much harder to quantify risk than it used to be.
In addition to expanded risk, there is also an unprecedented lack of control over business technology tools.
The centralized decision-making enjoyed by IT departments of the past is no more. Quick access to applications and connectivity means that departments and individuals are now making software and hardware decisions outside the purview of the IT team. This was exaggerated further with the pandemic and the resulting transition to remote work.
Organizations today have more applications, more variability in devices, and less consistency than ever before. More factors (applications, devices, etc.) and less control equals more surface area for threats. With this loss of control, there are risks that IT may not even be aware of and can’t mitigate.
To top off the expanded risk and lack of control, there is also a growing imbalance between our dependency on technology and how we secure it.
IT is central to modern business operations. However, the way we access and interact with it has not evolved to properly safeguard such a critical business element. We continue to rely on a risky foundation: user identity.
Applications that house your critical business data are typically accessed with a username and password. A single point of entry. These are much more easily compromised now, putting your business at risk. This realization has led to industry shifts in how we access and protect these key technologies (namely, multi-factor authentication).
Though these changes are overwhelming, we know that the risks are too great, and we can’t stick our heads in the sand any longer. In ensuring your business is prepared, it’s important to consider not only your technical tools, but also your approach to IT security.
Adjust your tools
The industry standards are shifting and tools that once were optional are becoming necessary. These include multi-factor authentication, single sign on across applications (with a single identity) and advanced threat hunting software. In addition, cyber liability insurance has become a necessity for businesses of all sizes.
Adjust your approach
It’s true that things you purchase can beef up IT security. But tools alone won’t solve everything. It is important that your business establishes a process of regular, deliberate discussion around IT security to identify current risk, understand mitigation options, and determine whether the risk has changed since last discussion.
Often, companies struggle to bridge IT planning with regular business strategy.
Three key things need to happen to achieve this:
1. Include IT security as a discussion item in regular business planning processes
a. Incorporating IT security into regular planning cadences ensures that the right stakeholders are involved in a recurring discussion. Though the recommendation varies based on company, a good general cadence is to have a discussion around IT security every 6 months to 1 year.
2. The IT department should include more technical communication with stakeholders
a. With the changing tools and risks, it is important that decision makers are given enough technical information to understand risks and weigh the options.
3. Prioritize IT security within the business
a. Stakeholders have the responsibility to recognize IT security as a high-level business priority and invest time and energy into not only participating, but also creating traction in the company.
No tool is 100% effective, and most new processes in business planning take time. But by strengthening your IT security with current industry best practices and prioritizing consistent discussions of IT security, your business will mature its security year over year, match IT security investment dollars with risk and be more protected and adaptable than before.