It's not if, but when your organization will suffer a security breach. Whether they’re large or small, or protecting from internal or external attacks, every organization must remain vigilant. Even the NSA, arguably the most secure US federal intelligence agency, failed to stop Edward Snowden from releasing an estimated 1.7 million sensitive records
1. Use the Principle of Least Access
Applying a minimal access policy goes a long way
For example, does your CEO’s swipe card really need unrestricted access to the warehouse? Do they really need to be able to sign out forklifts? Genuine exceptions should only be considered on a case-by-case basis.
2. Apply Layered Defenses
When you build your defense in layers, each is able to mitigate the others’ vulnerabilities. This is sometimes called the ‘swiss cheese’ model of security. Any one layer or ‘slice’ will inevitably have holes you can’t plug. But when you layer two or more security slices on top of each other those holes are reduced, or can be eliminated entirely.
Ideally, you should layer different types of security, such as physical barriers paired with electronic key control and access control systems. Even create micro-layers within your security systems, such as requiring multiple forms of authentication. For example, a PIN code combined with a biometric control panel.
3. Integrate With Existing Systems
IT systems have increasingly shifted to what’s known as ‘open architecture’ design over the last decade. In this case, ‘open’ means the systems are designed from the ground up to be ready to integrate with other technologies.
Integrating security systems gives you data from throughout your organization that’s greater than the sum of its parts. This approach lets you conduct proactive real-time monitoring and threat detection. You also gain operational efficiencies coordinating and communicating between your security assets in a unified system.
Which brings us to...
4. Centralize Access Management
Some organizations for good reason will have a decentralized management structure. But when it comes to managing access controls electronically, a centralized model is ideal. This may seem counter-intuitive to security personnel without an IT background, but when access control is networked this becomes the best practice.
Centralizing controls eliminates redundancy and therefore the chance for error. It also reduces the chance of miscommunications between different control centers throughout the organization.
5. Defend Your Chokepoints
Creating chokepoints has long been an effective practice, especially in high-traffic enterprise environments. The problem is that chokepoints create a predictable flow of people or assets that attackers can exploit.
Modern IT systems also use chokepoints to secure network traffic, so they’re vulnerable in similar ways. In fact, many of the largest headline-grabbing cyber-attacks have targeted vulnerable IT chokepoints.
That means to stay ahead of attackers, we need to implement new forms of chokepoint security that leverage both physical and electronic tools. For example, manage a physical asset with electronic tools that are hard for on-site attackers to disrupt, such as by securing critical keys with an electronic key management system. Or vice versa, deny remote attackers by keeping certain infrastructure un-networked.
6. Training, Training, Training
You can have all the security tech in the world and attackers will still walk right through your defenses if your personnel
7. Plan, Test, and Test Some More
When planning or reevaluating existing security measures, it is essential to begin by defining your goals. To accomplish this, make sure to get input from all levels of the organization, not just security personnel. Different concerns and threat scenarios can emerge from very different sectors of your business.
Once security plans, policies, and systems are established, the best practice is to conduct regular reviews to update them against the latest threats. Include a thorough review of internal incidents log and assess the outcomes of each and actions taken. Then integrate those outcomes into your security protocols.
The security sector is changing at an ever-increasing rate, but the principles that found our discipline
Editor's note: Originally published March 13, 2017, updated July 13, 2018 for accuracy and comprehensiveness.