Many people believe they need to take on large tasks and implement expensive technologies to fix the problems with their security program. Brought on by the compliance-first mentality epidemic combined with ongoing IT audit requirements, these “fixes” are often nothing more than paperwork, programs and poorly implemented technical controls that create the illusion of progress. Yet, behind the scenes, the truth is evident. The real weaknesses are present in terms of ownership and accountability, oversight and lack of ongoing improvements.

Enhancing a Security Program

The following are some small, yet important, quick wins for security that you can address today to make things better over the long haul:

  • Clean up your security policies by standardizing a template and eliminating redundancy.
  • Develop a security testing plan that ensures periodic and consistent in-depth information risk assessments, penetration testing and vulnerability scans. Many organizations address these security functions haphazardly — often after a breach or when they’re otherwise forced to do so, which can only serve to make you look bad.
  • Standardize on full-disk encryption for laptops, patch management for your main OS software and third-party patches and mobile device security. Then develop a plan for rolling them out. You might already have these controls at your disposal. Once implemented, these three things alone can easily eliminate 50 percent or more of your information risks, and no formal risk assessment is needed. I cannot think of any organization, regardless of size or industry, that wouldn’t benefit from taking these three steps.
  • Document an incident response plan. Most organizations I’ve seen don’t have one, and that’s such a dangerous thing. At the very least, create a one-page document that simply has all the contact info for your vendors, ISPs, security and forensics experts and legal counsel. You’re going to need all of them on board when the going gets rough.

How else can you tweak your security program to make things better? Only you know the answers. All it takes is two of the rarest things to come by in business today: a level of commitment and stick-to-itiveness. If there’s a big enough “why,” the “how” will take care of itself.

Build for the Future

Starting today, forget about fixing all of your security problems this month or even this year. Most organizations could go the next 12 months without spending a single penny on new stuff — products, services and other things that promise to fix everyone’s security woes. Instead, by focusing on the freebies — using what you’ve already got combined with some elbow grease — you can make huge strides toward developing your security program, fixing the fixable that’s spread across your environment and minimizing your security risks.

As the saying goes, Rome wasn’t built in a day. Like diet, exercise and investing in retirement, it only takes a little at a time to make a big difference. The real challenge is setting your sights on the bigger picture and doing the little stuff that needs to be done today so you can reap the big rewards in the not-so-distant future. That future will be here before you know it.

More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today