When it comes to securing the corporate infrastructure, many companies don't have a real plan in place. Most purchase the security software they believe is appropriate for their network, install it and hope for the best.
It's no wonder, then, that companies can't keep their networks completely safe from cyberthreats.
But choosing, implementing and maintaining airtight security isn't a monumental task. It all starts with an honest assessment of where the vulnerabilities reside on your network. The folks at CDW-G have put together a five-step program that they believe will help any company looking to fully lock down their networks. It's a fairly simple program, but it does require the effort and buy-in from the top down and the active participation of at least one person from each department in the organization.
Here's what CDW-G suggests:
1. Identify information assets - Got sensitive credit card information on file? How about Social Security numbers? Make a list of all the types of information on your network and prioritize what needs to be protected.
2. Locate information assets - You know what you have on your network, but do you know where it is, exactly? Find the information assets listed in the first task and make a list of all those locations, be they file servers, workstations, laptops, removable media, PDAs, phones and databases.
3. Classify information assets - What's more important to your company, M&A strategies or compensation information? Using a 1-5 scale, classify your information assets as:
a) - Public information (examples: marketing campaigns, contact information, finalized financial reports)
b) - Internal, but not secret, information (examples: phone lists, organizational charts, office policies)
c) - Sensitive internal information (examples: business plans, strategic initiatives, items subject to non-disclosure agreements)
d) - Compartmentalized internal information (examples: compensation information, merger and acquisition plans, layoff plans)
e) - Regulated information (examples: patient data, classified information)
4. Conduct a threat modeling exercise - This step is the most crucial, because it will tell your company where its largest area of vulnerability lies. Rate the threats that those top-line information assets would face. To do that, CDW-G recommends companies use Microsoft's STRIDE method to help determine which threats these assets face, then plotting them out on a grid. On the X-axis, list the STRIDE categories. On the Y-axis, list the data locations identified in the second step. For each cell, estimate using a 1-10 scale the probability of that threat being carried out against the information asset, and the impact a successful attack would have on the company. Then multiply those two numbers together and fill them into the cells. Each cell should have a number between 10 and 100.
5. Finalize data and start planning - After you've done the math, it's easy to see where the largest vulnerabilities lie. Obviously, the higher the number, the larger the threat. Most companies don't take action on threats that come in at 250 or lower, but will take immediate action on threats in the range of 450 or higher.
Once a proper assessment has occurred, companies then can move forward with a security plan that not only makes sense but also can save time and money down the road. It all starts with proper planning, which leads to easier-and more effective-execution.