For my last installment about mastering cybersecurity, I’m going to answer the question I posed in the previous post, then finish up with my tips for upping your game. As I explained last time, security is like a graph, where cost is X, and risk is Y. As you move to the right on the graph, your risk goes down as you spend more on security, but plateaus before risk start to rise again. So, if you start to spend too much money on security, your risk for a cyber attack will begin to go up after a certain point.
When you buy more complicated hardware and software for your systems, the people in your organization will become overwhelmed. Soon they will have to be jumping through all of these hoops to log into their computer, so instead of following the complex procedures to ensure security, they will find a way around them instead.
Consequently, your risk increases as your employees begin to avoid the procedures you’ve set for them. When you evaluate your organization’s cybersecurity, a score somewhere towards the end of the scale (but not the end) is best, such as an 8/10 (1 being completely insecure and 10 being too secure). Once you have a score for your cybersecurity level, you can then evaluate your risks, find your top threats, and mitigate them. This itemized list of risks you choose to mitigate will be your guide during your endless journey in cybersecurity because security isn’t a destination or checkbox, it is an ongoing process that needs to be reevaluated and reconfigured often.
The final thing I’d like to point out is that you have to coordinate your cybersecurity procedures with your compliance programs, such as HIPAA or PCI. Compliance program checklists for security can get tedious, especially if you must follow more than one and have to wonder which business activities require which checklist constantly. But here’s a secret: probably 80% of the needed precautions in compliance programs overlap. Your best bet is to find out where these overlaps are and aren’t, and this will tell you all the compliance rules you need to follow with your cybersecurity regimen.
I hope the tips I’ve outlined in this series can be helpful, and remember that cybersecurity is not just your IT department’s problem, it’s everyone’s problem.