It’s Time for Organizations to Get Serious about IT Security

If anyone had any doubts, the news in recent months has made it clear: no business – or government – is completely secure from cybersecurity attacks. Many businesses have intensified their focus on improved technology to strengthen IT security. However, machine-based security is only part of the picture.

As the voice of the information technology industry, CompTIA is on a mission to provide cybersecurity awareness training for anyone who touches a PC, laptop, smartphone or tablet. In addition, CompTIA works with our members to develop sound business practices for working with their clients. Our organization continues to work with lawmakers on Capitol Hill to pass legislation that will balance privacy concerns and promote the sharing of data while providing liability protection to the private sector. Here is how security-aware businesses can implement three considerations to better safeguard their information.

Educate your employees

According to CompTIA’s Trends in Information Security study, more than half of security breaches were the result of human error. As mobility and cloud technologies become more prevalent, businesses will have more access points to protect. All levels of staff – from the mail room to the board room – must take steps to protect their organization’s data and devices from being compromised. Ongoing user education continues to be the best defense against cyber attacks, and there are three principles that can help employees be more security-aware.

First, businesses should integrate cybersecurity best practices into employees’ workflow, including the devices they use. Particularly in environments where there are both personal and company-issued devices, IT and front office leaders must develop policies for personal device use that balance security concerns with employees’ personal and work-related needs.

Next, businesses must promote better password management. Most employees still either assign the same passwords to all devices and apps or have dozens of forgettable password variations. Companies need to teach users how to pick strong, yet memorable passwords. This small investment in time can provide a huge improvement in cybersecurity. If feasible, businesses should also invest in corporate single sign-on tools that eliminate the need (and liability) of juggling multiple log-ins.

Third, we must consider work processes: They’re typically there to maximize efficiency, with security concerns addressed only loosely (or not at all). As a result, employees can remain vulnerable to social engineering threats, including impersonation and phishing. Since these hacking techniques capitalize on employee confusion and desire to follow proper procedures, companies must build controls into the processes themselves. Taking steps like requiring identity verification or implementing multi-factor authentication can help front-office workers be less likely to divulge sensitive information.

When employees are aware of potential threats, they are better able to understand how to identify trusted sources and act accordingly. And as cybersecurity threats intensify, the IT department can’t be the only party involved. IT and security teams must work with all employees to enforce policies that are genuinely secure and realistic, for end-user compliance.

Work with trusted providers

It’s easy to assume or overlook this aspect of security, but who you work with outside your company must be considered. Companies today are increasingly scrutinizing the security practices and data integrity of their partners. This growing concern is well founded; investigations revealed that the infamous Target data breach occurred by compromising the credentials of an HVAC contractor.

However, despite these high-profile attacks and broad agreement on the importance of IT security, many organizations seem comfortable with their existing risk policies and procedures. CompTIA’s Trends in Information Security study showed that just 22 percent of small businesses report being dissatisfied with their current security measures, and medium-sized and large organizations were only slightly more concerned. It is a classic example of thinking “it’s the other guy” who needs help. Many businesses underestimate their own risk.

In addition to implementing robust security policies and educating consumers, organizations must also embed security throughout outside partners, no matter how seemingly banal. The same security habits that plague IT security within your business – reused passwords, unencrypted data and failure to plan for worst-case scenarios – can run rife within other corporate environments. Companies should work to proactively identify and communicate security weaknesses to reduce risks.

Get involved with your legislators

Despite what you may hear otherwise, members of Congress are very receptive to their local constituencies’ feedback about issues that affect them – especially businesses. It’s important to let your elected officials know about the impact legislation may have on how your business operates. There are several bills under consideration in the U.S. House of Representatives and Senate relating to business and cybersecurity. To learn more about these policies, visit https://www.comptia.org/advocacy/policy-issues/cybersecurity.

As a nonprofit industry trade association, CompTIA advocates on behalf of our members to alert Congress and state-level legislators to the regulations and laws that impact the information technology industry. We also hold an annual “fly-in” for members to speak with their state and district. Meeting in person with your representatives is even more impactful than sending a message. Either way, it is important for businesses to ensure their voices are heard.

A mission for all of us

As our world becomes more connected, we recognize the importance of cybersecurity even more across all sectors of the economy. Organizations have invested heavily in technology solutions to counter the threats. But organizations also must take the initiative to address the individual as part of our defense.

While there is a strong need for specialized security education, we must also train entire organizations to be good cybersecurity practitioners. We must work proactively with our vendor partners to ensure good practice outside our organizations, and we can work to educate and engage our state and federal legislators on the important impacts that cybersecurity laws may have on business.

About the Author

Todd Thibodeaux is president and CEO of the Computing Technology Industry Association (CompTIA), a non-profit trade association serving as the voice of the information technology industry. With approximately 2,000 member companies, 3,000 academic and training partners and nearly 2 million IT certifications issued, CompTIA is dedicated to advancing industry growth through educational programs, market research, networking events, professional certifications and public policy advocacy. Visit CompTIA online and on Facebook, LinkedIn and Twitter.