In corporate America, the term security has morphed and expanded over the past decades. From simply securing property and personnel, the term now encompasses information security, cyber security, physical security, document security, workplace security and a host of other areas. Executives across organizational responsibilities are tasked with protecting different company assets. This evolution has been further advanced by COVID-19, which expanded the concept of corporate security to reach well beyond the office environment. Companies now need to look at securing residential spaces and must address cyber threats that have expanded exponentially due to the dispersed workforce.
With an increased focus on risk and risk management, questions often arise on how to secure a business, which are posed to many different functional areas within an organization. Executives answer questions about security on a regular basis to a host of different audiences from employees, to clients, to vendors and possibly to partners or boards. These questions often include some type of formalized document where specific questions are posed and must be formally answered. The answers provided by the executives are often based on documentation supplied by in-house staff as well as vendors that deliver products, devices or services to secure different areas of the company.
COVID-19 has stress tested business continuity plans and revealed many gaps. This leads to an important question executives should be asking in regards to security: When was the last time your organization tested the security products, devices and procedures in place?
All too often, gaps and deficiencies are identified in a post-incident internal examination or by a third-party organization investigating a security incident. In my previous role in law enforcement, post-incident evaluations often centered on “if you didn’t document it, it didn’t happen.” I would pose this question: “it is documented, but is it really understood and working as expected?”
Having an independent auditor, whose sole job is to test systems to see if they perform to the standards that are documented, can help identify security gaps before they are exploited by a bad actor. Consider these examples:
A video surveillance (CCTV) system is documented as having 60 days of video stored. When, if ever, was there a request to view video from 59 days ago?
If motion recording is used, when was the last time cameras were checked to see if they are actually picking up motion?
The file room door is supposed to be unlocked from 9 am to 5 pm Monday to Friday, have you checked to make sure its locked at 5:15 pm on a Wednesday and 10:00 am on a Saturday?
These are simple checks that may show that documentation does not always marry up to real workplace operations.
Testing your IT security measures should be done regularly as well. Red team testing, penetration testing, network scans, log reviews and a host of other tests and procedures should be in place to ensure the current products and policies are functioning to the level expected. In addition to these technical tests, simple reviews of active accounts and devices should be done to ensure employees and vendors who are no longer with the company have been deactivated. Checking password policies, ensuring multifactor authentication is enforced and reviewing patching and application versions – are these being done?
Trust but Verify
Just because security measures appear in a written policy document doesn’t always mean they are working as expected. Executives must take an active role in managing security across their organization and motivating employees to keep security a priority. As the concept of security continues to evolve, resilient organizations are not only prepared to meet the demands, they have tested their systems and are confident they are up to the task of keeping their people, information, property and reputation safe.
Insite is here to help, contact us about conducting an independent audit to help ensure your systems are secure and your policies are being enforced.