As we approach the Alabama Cyber NOW Conference on April 5th, we will highlight some of the companies and individuals making this event possible. We recently caught up with Jason Asbury, President of Warren Averett Technology Group, the Diamond sponsor of ACN. Jason will be speaking at ACN and agreed to a Q&A highlighting some of his upcoming talk.
Hi Jason! Let’s jump right in – what can a business do to reduce the likelihood of cyber-attack?
Asbury: The notion of reducing the likelihood of an attack is somewhat futile. Any organization with access to the Internet is subject to attack. The key is to be prepared when the attacks occur. Proper planning, controls, monitoring, alerting and overall management of IT security is absolutely necessary in order to turn attacks into failed attempts.
What are the key ingredients for a cyber-security strategy?
Asbury: Managing a cyber-security strategy begins with a risk analysis. In order to create and implement the proper strategy, risk must be clearly understood. Not all companies share the same risk. Secondly, all effective systems and strategies are governed by good policies. A thorough IT security policy is essential in managing risk. Security policies should not only create a framework for day-today management of risk, though. They should also identify and designate key roles within an organization. For instance, every business should have a security officer or manager as well as a risk officer or manager, and all organizations must plan for the worst. This means that an incident response plan is necessary and someone must be designated to manage the recovery steps taken after a breach has occurred. In my experience, most companies fail to implement a strong cyber-security plan because they don’t start with an analysis of risk paired with a solid IT security policy.
What type of third-party services and products can be used to help prevent a breach and keep sensitive information secure?
Asbury: There are a number of services that can assist in managing risk. We recommend that organizations consider third-party monitoring, logging and alerting services for critical systems and network entry points. The assurance of proper oversight relative to security is essential to preventing an incident. Another good outsourced service to consider is quarterly vulnerability scanning and annual penetration testing in order to regularly assess and remediate risk.
Should a company be concerned with its vendors relative to cyber security?
Asbury: Absolutely. A security plan is only as strong as its weakest component. As a business owner or risk manager, you must address security safeguards and loss prevention relative to vendors and business partners. The highly publicized Home Depot breach of 2014 was the result of weak controls around vendor access. We suggest the development of business associate agreements that clearly define requirements around access control and minimal acceptable levels of security from within the vendors’ IT systems.
How can I assess my company’s risk for a cyber-attack?
Asbury: The most effective process is to have a qualified IT security firm perform a thorough IT risk assessment. If your organization has identified a risk-management officer, that individual should be qualified to oversee this process. Relying on an IT manager to assess risk for a system he or she is responsible to maintain may not yield an unbiased report. Risk assessments should include a review of IT policies, network architecture, roles and security procedures, and physical and logical access controls.
Thanks for taking the time to chat, Jason! Click HERE to learn more about Warren Averett Technology Group.
View more blog posts by visiting TechBirmingham's full blog.