Security Think Tank: How businesses can achieve compliance and security (part 5)

What can businesses do to make regulatory compliance a priority without losing focus on security basics?

I know I am not alone in spending an increasing amount of time working with colleagues to ensure our business is not caught unaware by the simmering hotpot of regulatory compliance.

And, quite rightly, the challenge of compliance must remain a priority for the vast majority of information security professionals. 

Yet as I'm engrossed in the small print, a corner of my mind not yet numbed by the immediate matter in hand is nagging at me that prompt patching, keen log checking, good password management, data classification, and many other areas that make up the “bread and butter” of security basics cannot be ignored.

So if we accept that regulatory compliance is a priority, how do we ensure that we do not lose focus on security basics?

In the first instance, by accepting that security basics, in whatever form, are and will always be necessary, the question becomes, "how do we ensure security basics have sufficient focus?".

Start with security basics

To start with, we all have finite resources, so it is essential to prioritise effectively and do things well – and where possible, just the once.

Prompt patching, keen log checking, good password management, data classification, and many other areas that make up the “bread and butter” of security basics cannot be ignored

David Rowe, Infosecurity Europe Advisory Council member

You might then ask yourself what is most valuable to the business and how well protected those assets are. Run through various scenarios, thinking about how you would respond in the event of an incident and identifying action plans to fill the gaps.

  • Build a strong foundation of mature IT infrastructure processes that “bake in” routine tasks such as patch management, changes to firewall configurations and the like.
  • Look for weaknesses in processes, perhaps starting with those that bridge multiple departments such as the “starters/leavers process”.
  • Work with staff to increase security awareness, ideally using real-world examples they can relate to.
  • Take advantage of the recent media interest in hacking groups and hacktivism by explaining some of the methods used, such as phishing attacks. Demonstrate how this is relevant to Facebook, online banking and work accounts. Emphasise the importance of strong passwords that are changed frequently.
  • With an ever-growing take-up of social media and reliance on technology outside of office life, this is valuable and transferrable knowledge.
  • Continually measure how well you are performing to establish if there is sufficient focus on security basics. Track how many incidents occurred in the past month and apply a simple ranking score. How well are you doing month on month?
  • Finally, never assume you have nailed the basics of security – you never can, but you can ensure you give it the necessary focus.

David Rowe is a member of the Infosecurity Europe Advisory Council and head of Business Services for Reed Exhibitions.

Read more on IT risk management