For those who don’t know me, my name is Anna Krupka and I’m an Account Executive with TRUE. I have a BSBA from the University of Tulsa with a major in Finance and spent the majority of the first decade of my career working in the horse racing industry. Doesn’t sound very techy, does it? So how did I end up here? During my time at TRUE I have discovered how much I truly enjoy working with businesses to strengthen their cyber security posture and work towards compliance standards and regulations. I have also been surprised to learn how passionate I am about educating organizations and professionals on the importance of the organizational journey towards security. During my time at TRUE I have seen some major pitfalls from companies that failed to see the importance of having a “Security First” approach to their IT. So I’m here to explain why you – YES, YOU – should take the “Security First” approach to heart.
Security through Obscurity is not a thing any more
If you own or run a business that is any size but enterprise, there’s like a 90% chance (totally a statistic I made up from personal observation) you think that your business is not a target to an attack or vulnerable to any sort of cyber security incident. You probably would bet that there is no way attackers are worried about your organization, because you are too small/unimportant/insert whatever adjective here justifies not worrying about your security posture let alone spending (gasp) money on it. I’m going to need you to take a seat, because this is not going to be good news. The truth of the matter is that cyber security attacks are now “one size fits all”. If you have a bank account and conduct any sort of business online (even if it’s just email), you are susceptible to a breach – and that’s not a fun fact that I’m making up. While I’m always happy for new clients, I’m never happy to gain them through an Incident Response engagement. And frankly, my book of clients has grown with companies of all sizes, all industries, all business sectors that have been negatively affected by a security incident. Pure and simple – if they can get to your stuff, they will and they will figure out how much money you can afford to fork over to get it back. Or they will figure out how to trick you into sending your money to the wrong bank account. Or the dozens of other scenarios that could happen that could interrupt your business or cost you a lot of money.
The Economics of Proactive v. Reactive
Whether it’s playing sports, managing your time, or conducting business – I think we can all agree that, unless you’re a firefighter, a reactive approach is very rarely the best approach. The security posture of your organization is no different. To be fair, I think we can also all agree that shoring up your information security is never cheap. But I will promise you that when it’s DEFINITELY expensive is the moment you are scrambling to build a security program after an incident has revealed exactly how vulnerable your infrastructure is. Am I suggesting you run out and invest all of your money into building a security program overnight? No. What I’m suggesting is that by taking the time to budget, plan, and strategize steps towards your security goals, you will find the economics of strategic, proactive security planning and execution is way better than a reactionary spend to save your job post Security Incident.
Just like any business organization “Security First” approach can come in all “shapes” and sizes. There is literally a way to strategize this approach no matter how small your company. For some, it means having an endpoint protection strategy and understanding best practices for handling PII. For others, it means hiring a CISO and looking to build a program towards a SOC2 certification. I will delve further into this subject in another blog installment, but for now what I cannot stress enough is that this approach is thoughtful and strategic and goes beyond buying the newest fanciest toolset.
Infections/Incidents are no longer just an annoyance, they are business killers
The importance of a “Security First” approach is not just for the consistency of uptime and availability. In fact, hackers are not just trying to ruin your stuff. They aren’t even so worried about selling your personal information – the truth is there’s so much PII on the dark web it doesn’t sell for much (gotta love economics!). What they are trying to do is to hold your business hostage in a way that business can’t continue until you fork over the money. They will shut down your systems, they will grab proprietary info, they will grab your biggest client’s proprietary info. Hackers will spend the time to observe the dealings and inner workings of the company to figure out just how important information is, where it is, and how much you have in your account to pay in ransom. For a lot of organizations this amount of money, or loss of business, or downtime can be crippling. Not to mention, if your clients feel like you aren’t protecting their information and business interests: you could lose their trust, your reputation, and quite possibly your clients.
In closing, my intent with this piece isn’t to inspire fear or panic. It’s merely to share my observations as an Account Executive to further the conversation around information security in your organization. My goal is for executives and upper management to understand that security best practices are quickly becoming a requirement in everyday business. Your clients, your investors, and in some cases even federal regulations are raising the standard for security - the time is now to make security a part of your business strategy and a line item in the budget. A Security First Approach to your IT is an excellent way to weave these strategies and best practices into the fabric of your business to create a security blanket that gives you and your clients peace of mind.
Most organizations use Microsoft365 (formerly Office 365) so I wanted to share this TRUE Whitepaper, written by Heath Giesen, about specific struggles many businesses face and steps/configurations in M365 that can address these issues.