If we had to start somewhere in computer security (or Cybersecurity) what should be done?
First: start with performing minimum compliance standards (this objective also doubles as a documentation of compliance)
Second: Improve security by spending some time on Cybersecurity (an ounce of prevention is worth a pound of cure)
Third: Integrate Governance Risk Compliance (GRC) into your business (as we discussed here)
Many compliance standards were built with actual security in mind, even if the process becomes only a check box methodology. Not all checkboxes may prove truly secure. Nevertheless it is a good place to start.
But once you have started move into the world of “Not Just Compliance: Be More Secure”
The key is to find weaknesses that are outside of PCI compliance. http://oversitesentry.com/where-does-pci-compliance-fail/
You can see in the above diagram, that the IT security framework encompasses PCI compliance. What if you have a local HR server which houses your employee Personal Identifiable Information(PII)? The Human resource data is not covered by Payment Card Industry compliance because there are no credit cards to charge for the HR department. But what if the HR server is compromised? Then the attacker has an inside network resource to try to attack other machines.
This is what I was trying to explain in the above Risk management matrix. The systems that are not as critical to your operation (not CC systems, not HR systems) those have a higher chance of getting attacked due to lack of attention over time.
Thus once your lower priority systems are hacked the hacker now is in the network and it will be harder to get the hacker out of your critical systems if not set up correctly.
Everyone claims to create a risk management profile on your servers and systems. But it is also important to actually assign the right amount of resources as maybe you do not have enough resources in the security area. So the key for Risk Management and analysis of your IT resources is not how to cut costs, but are we secure enough? And if not, then we need to fix the profile in time.
As long as you know you have a problem then you can move forward and address it. So start with the basics and build from there. The security complexities are wide and understood properly over time.
Contact Us to discuss