A Business Leader’s Guide to Security Vulnerabilities
While it’s normal for our staff to constantly discuss the newest technical stories, I suspect that the talk around your office to start 2018 has also been technical in nature, namely the newest security threats to make the news, frighteningly named Spectre and Meltdown. Last week, our Vice President of Security covered the high level details in his blog post, but as a business owner, this story raises questions above the technical or operational details. Specifically, what should business leaders do in this brave new world of headline grabbing security vulnerabilities?
As business owners, there is always more to worry about than not, but the current security and IT landscape demands that we prioritize our worries so we can remain focused on the most pressing risks and take advantage of the greatest rewards. In a constant push for risk mitigation, prudent and thoughtful action is key. Although my below recommendations may seem trite, as the headlines and news stories of threats continue (and they will), it’s important to remember the basics as we make our business decisions.
- Remain calm and focused. Chances are, you took significant time at the end of 2017 to plan for 2018. Your budget and your strategic plan are likely sound and already being executed. Do not let the news stories of the day distract you from your course. Cyber-security is the trend of the year, and with each new vulnerability I start to see a panic narrative take shape with news headlines. Although these vulnerabilities are real and serious, some vendors will leverage the fear as a sales opportunity. While it’s true that there is an off the shelf solution for most problems, do not let a panic narrative adjust your business planning and execution. With each new vulnerability, take time to think and assess the current threat level to properly plan your action and communication.
- Start and Stick with the Basics. A portion of your yearly budget and strategic plan should have time and money carved out for the basics. Part of your calm as a business leader should stem from the fact that your IT plan and budget are fundamentally strong at its core: 1). Your outsourced or internal IT staff should have a plan for patching 2). You have tested and reliable backup solutions and 3). Aging or end of life equipment are quickly upgraded or decommissioned. Staff training is also key. Regardless of the vulnerabilities of the day, your business is at a far greater risk of a breach through Social Engineering than a complex cyber attack like Spectre or Meltdown. At our Winxnet University events for our clients, we have covered security awareness training with our clients, and your IT staff should, too.
- Follow up with your staff after the hype is over. After the 15 minutes of fame are over for the specific vulnerability, review the impact of the vulnerability to your business and any changes in direction you needed to make. Did your team need to push out patching earlier than expected, or delay a project? Did you need to review additional quotes or spends for solutions. With your year long plan in mind, review what you did and what you would have done differently. I frequently perform this exercise with my staff and our clients, so we can be even more prepared for the next vulnerability. A few moments of retrospection and communication can go a long way.
The list of security vulnerabilities is long and getting longer (WannaCry, Petya, KRACK, BlueBorne, Spectre or Meltdown), and most will continue to make headlines. What you do before they strike can impact your actions during the heat of the hype. If you feel as though you need help determining your IT budget or plan to address these events, please do not hesitate to reach out to a member of the Winxnet team at firstname.lastname@example.org.