Throughout this program I have learned there are many aspects to protecting information. One of the main keys to protecting information begins with employees. When employees understand the importance of their actions and why the company has created security policies this will help to create an environment that is aware of potential consequences.
This means that companies have to create a culture of security. By creating a culture of security all employees are taught to understand the importance of following security protocols. They should be aware that company security is more than just the information online, it is also the trash they throw away, the caller on the telephone who asks questions about the company's software or other seemingly innocent questions and the unannounced copy repair man. Anything out of the ordinary employees should report to the supervisor or head of security immediately.
One of the most difficult aspects of cybersecurity is convincing a company why the protection is necessary. Unfortunately, many organizations see cybersecurity as a black hole for spending company funds that they feel would better benefit other areas. The reason for this is because having adequately protected companies means there are no or few attacks. Without any attack it seems as though it is not necessary. When a cyberattack does occur, the first to get blamed is the security team; even when they had presented the information as to why increased security was necessary to prevent this type of attack, but they were told it was not necessary. Those presenting their findings for security necessities must use data from other, similar organizations who suffered such an attack and present how the company was affected by the attack as well as how much it cost the company.
During this term for Cybersecurity 650, I learned the necessary steps to identify security threats/vulnerabilities as well as making recommendations to mitigate these issues. The security assessment needs to be thorough, focusing on critical assets and potential threats or vulnerabilities they may face. When determining these it is important to focus on protecting the critical assets from realistic threats. These could include cyberattacks, weather events relevant to the area such as tornadoes, floods, hurricanes, etc., and attacks on areas that may vary from company to company. These factors are important to keep in mind when evaluating a company's security. For healthcare organizations they not only have to secure patient data, but also have to be in compliance with state and federal laws by how they are securing the information. At the end of the recommendations it is up to the company to do what is in the best interest for their customers, shareholders, and company as stated in their mission statement.
No comments:
Post a Comment