“Most organizations don’t think about [cyber] security enough,” says Ted Harrington, executive partner, Independent Security Evaluators. “Maybe, companies think about it annually. You need to think about it more often than that.”
This was part of Harrington’s session on protecting against cyberattacks, part of the Window and Door Manufacturers Association’s Executive Management conference, which took place virtually earlier this month.
The big question many companies ask is: “How do we know what we are doing is sufficient?” Harrington says it begins with threat modeling. “Think like the bad guys think,” and that will help you answer three questions:
1. Who do you want to defend against?
2. Where will you be attacked?
3. What are the assets you need to protect?
If you don’t know the answers to these questions, Harrington says it’s like heading into the big game without a game plan. For example, who are you playing against? What do you have of value that they will come after, such as proprietary information?
Many companies wonder how they know if what they are doing is enough. Harrington offers a few examples of how to conduct security assessments:
- Vulnerability scanning is like when your car’s check engine light comes on. It’s a quick, inexpensive way to look for known issues.
- Bring a dose of skepticism when analyzing your systems.
- Perform routine security assessments.
- Automate everything you can whenever you can.
It was evident by the amount of questions Harrington received at the end of the presentation that the topic is definitely of interest to those attendees. One asked whether internal or external teams is the way to go.
“The short answer is you need both eventually,” says Harrington. “The internal teams and external teams complement each other. External brings that independent objective viewpoint and the niche specialties. When you combine it all you get maximum impact.”
Another individual asked if a company can overdo it in this area, and the short answer, he says, is yes. “Complexity often introduces new vulnerabilities,” he says “More complex is not necessarily more secure. You have to look at the unique characteristics of individual systems.”