10 Simple, Low Cost Ways to Improve Information Security

By John Brady, CISO, Secure-24

With today’s technology advancements, it is more apparent that ‘information security’ within the workplace is a top priority, not just for IT professionals, but for all management professionals. Security breaches, depending upon the severity of the breach, threaten a company’s reputation, impact revenue, and damage intellectual property. Protecting company data is no longer limited to the IT department and an information security management must be implemented to systematically manage an organization’s sensitive data.
If your company, however, is in the small to medium-size range, it can be difficult to afford a comprehensive Information Security Management system like those deployed by larger companies. You may be assigned the information management role and only able to afford one or two information security staff.
What are some ways that you can inexpensively improve the information security posture of your company?

  1. Engage a third-party assessor to conduct an information security risk assessment.
    1. Keep costs low by using a local company. Travel costs can add up quickly. Rates for local companies are using lower as well.
    2. Use a company that just conducts assessments so that the report is not biased.
    3. Check with your local chapter or ISACA, ISSA, IAPP, HIMSS or ISC to find some good local companies.
    4. Ensure that the company has experience in your industry and mandatory regulations (i.e. FFIEC, HIPAA, PCI, GDPR, etc.)
    5. Obtain and contact references.
    6. Ensure the deliverables include actionable items, prioritized based upon risk.
  2. Use the assessment results to create a plan.
    1. Focus on the high-risk items.
    2. Consider mitigation to reduce the risk level versus complete remediation, which can often be much more resource intensive (apply the 80/20 rule).
    3. Consider the company’s ability to absorb change ¾ do not try to solve too many issues at once. Stay focused on accomplishing a few tasks at a time.
  3. Share the plan with management, IT and any other departments that can help implement the plan.
    1. If there is a separate Privacy and Compliance team, they may be willing to help write policies and procedures.
    2. IT technical staff can often make small changes in their procedures to close several items.
    3. Management may have suggestions on how to get projects done or providing additional funding.
  4. Use online materials to obtain templates and guides to implement action items.
    1. There are many sources for free information related to how to complete a particular action item. Search by topic and you can find policies, procedures, standards, controls, toolkits, and tools related to information security.
    2. Join information security-related associations such as ISACA, IAPP, ISSA, ISC and others. Membership is generally low cost, with access to vast resources.
    3. Although the federal government has been increasing its engagement in public-private forums and sharing information, this is still in the early stages and may not provide the level of detailed assistance you may need.
  5. Engage employees in other departments to be “eyes and ears” to keep you informed of potential security issues in their area or to “sell” information security to their colleagues.
    1. Many employees are aware that information security is a growing field and have been actively educating themselves or taking classes, even getting degrees or certifications related to information security. They may be eager to help.
    2. Thank their managers for the efforts of these volunteers and ensure that you have a good volunteer mentorship program.
  6. Determine if a security component can be added to another project or plan.
    1. Hardware replacements and upgrades to include encryption, malware protection, and asset tracking.
    2. Programming projects to include information security coding training and testing. Even if only training can be done, that will provide better results than untrained programmers writing code that leaves the doors wide open.
  7. Consistently “sell” information security to the board of directors, management and all employees.
    1. Inform management of security breaches occurring in your industry.
    2. Understand how your business works and determine how improving information security (think confidentiality, integrity AND availability) will provide business benefits to your company.
    3. Spend time developing relationships with managers. You can win their cooperation and support to keep you aware of potentially insecure practices.
  8. Purchase and implement a Security Awareness Service.
    1. Costs are decreasing and more vendors are entering into this space.
    2. Presentations are bite sized and interactive, sometimes
    3. Enables monthly reminders about security and keeps it top of mind for employees.
    4. Test things like phishing and have departments compete for lowest percentage hooked.
    5. Makes information security a part of everyone’s job requirements and evaluation.
  9. Partner with local education institutions. 
    1. Many institutions including high schools, certificate schools, community colleges, and both undergraduate and graduate programs at degree granting colleges and universities have information security related programs. Taking advantage of these programs through work-school programs or multi-term internships enables companies to support the local community, develop a pool of future talent, gain current state knowledge and implement programs a lower cost. Examples include:
      1. Interviewing subject matter experts and writing policies, procedures, standards, and controls.
      2. Auditing
      3. Security awareness communications
      4. Threat research
      5. Meeting facilitation and documentation
      6. Project coordination and management
      7. Vendor and technology evaluation
      8. Management presentation support
  10. Consider a Managed Cloud Services provider. Secure-24 is a Managed Cloud Services provider, so I can be considered biased in this regard. However, it is becoming generally apparent that managed services providers can often provide a secure environment at reasonable prices. You can see my blog on how to get into the cloud in a secure way for more details on how to do this.

So, there you have it: 10 ways you can improve your company’s security posture as its information security director — even if you have limited resources. Go forth and secure!