When you look at concerns that keep business owners up at night, a few show up over and over. One of these worries is the challenge of securing your systems. No one wants to be the company mentioned in the latest data breach. Unfortunately, security can be expensive. It is an open-ended goal that can allow for a lot of resources to be poured into it.
Achieving the Minimum
The first step in securing your systems should always be to get to the expected minimum level. The tasks required to perform this vary from platform to platform and line of business. You can hire a consultant to assess your systems and point you to the minimums, or the same data (roughly) can be found in an Internet search.
The standards set out as minimums in securing your systems are almost always based on well-known risks of those systems. Thus, when you get to the minimum, you are blocking a substantial majority of hacker attacks. Yes, you will be attacked if you have a website or system that can be reached from the Internet.
Technical, but Understandable
The recommendations you will find (or a consultant will share) walk through technical steps and configuration details. However, the goals of the action and how it impacts security are often practical and can be understood by non-technical staff as well. As a leader, it is highly useful to understand (roughly and at a high-level) what has been achieved when you complete these tasks.
Above and Beyond
Once you have the minimums, the hard work begins. This is where you are asked to decide whether additional investments in security are needed. The calculations for extra protection include risk reduction and are not cut and dried ROI decisions. However, some guidance can be found in examining the steps often taken in your line of business as well as reviewing the requirements of any compliance needs (PCI, HIPPA, etc.).
