How to Apply a Military Strategy to Your Firm's IT Systemby
When it comes to cybersecurity, there are no offensive strategies, only defensive ones.
The traditional approach relies on prevention strategies – as if a hardened shell surrounded your firm’s IT system. This approach assumes that cybersecurity incidents are exceptions, rather that frequent, ongoing, ever-more-creative attempts at breaching data.
However, there is an alternate approach called “Defense in Depth” – modeled after conventional military strategy – which is much more effective. Rather than concentrating all resources at the front line, the Defense in Depth strategy has defenders deployed in a series of pre-planned positions – in a series of layers – from which they can
advantageously attack the advancing enemy.
You can adapt the Defense in Depth to your own needs. The first layer is network security, which analyzes the traffic over your computer network. Firewalls prevent access to/from unauthorized networks. Adding intrusion protection systems that work in tandem with firewalls to identify potential security threats and respond to them quickly is a good next layer. Other layers to consider adding include antivirus software that can scan for suspicious patterns and activity, data integrity solutions that check the source of the data to ensure that it is from a trusted source and behavioral analyses that check for abnormal behavior.
The key takeaway: Multiple layers of defense are better than relying on a single one.
Furthermore, use a cost-benefit approach to risk mitigation. When serial bank robber Willie Sutton was asked why he felt compelled to heist financial institutions, he replied, “That’s where the money is.” The same goes for cybercriminals. Your firm needs to decide which data are the most valuable and then spend accordingly to protect them.
You need to build a strong foundation of knowledge around your data to understand exactly what you hold and the potential risks to its security. A helpful way of determining the value of a specific piece of information—and the risks to be managed—is to think about the impact if it got into the public domain. What would happen? Many firms tend to prioritize protecting confidential client information for just this reason.
Further, it’s no longer simply a question of having data stolen, but also the concern that the data will be altered to make them unusable or incorrect — and your firm may not even know it!
It is therefore critical that your company puts in place the most effective strategy to protect important data. Once you have ascertained the criticality of what needs to be protected, you can prioritize and allocate resources to avoid and mitigate cybersecurity threats. At that point, you can decide whether or not your cybersecurity
budget is appropriate.
The key to effective cyber wellness is your company’s ability to assess, measure, monitor and control risks. Most accounting firms generally focus on breaches – which is really only the assessment aspect. They need to broaden their focus. Smart accounting firms understand that cyber wellness is not a technical problem to be
solved but, rather, an ongoing risk to be managed. Cybersecurity cannot be guaranteed – but a timely and appropriate reaction can.
I am passionate about helping business leaders sleep better at night – by equipping them with critical cyber risk management tools that protect their enterprises while enhancing strategic business growth.
My career is grounded in managing risk – from cybersecurity to financial and operational risk. In addition to setting successful...