You know where your most valuable data is stored. Your data is locked safely in a fortress of layered defenses. You’ve protected those treasures with well-configured edge devices, a lean fully-patched DMZ, a tightly woven net of firewall ACLs and an intentional architecture that separates your servers’ functions. Your logs are continually examined and anomalous behavior is analyzed. Your privileged identities are well defined by role and rigorously managed.

Overall, you’re able to sleep well at night knowing that you have a well-oiled machine protecting your company’s — and your customers’ — most valuable data. Right?

There’s Not an App for That

Alas, enterprise-level security is not so simple. There are some incredible apps and hardware available today to support networks and protect sensitive data. But technology is not the silver bullet to solving security concerns. And simply buying more technology won’t make you any safer.

In this age of ever-increasing industry and government enforced compliance and regulations, the cost of a breach or loss of sensitive information can sound the death knell for all but the largest businesses. Ironically your best security assets are three things you’re probably overlooking.

Oops, I Did It Again

Well-defined and enforced policies are the backbone of any organization. Without them, your organization is without clear direction or shape. Your management needs policy to underpin their decisions and ensure that those decisions align with your organization’s goals and objectives, while still maintaining good security.

Even if you’re sure you know where all of the most valuable data is kept, what about the other stuff? There is a treasure-trove of informational nuggets likely sitting vulnerable outside of — or even inside of — your walled kingdom.

For example, many companies have service desk or call centers that take customers’ personally identifiable information (PII) over the phone or through an instant message platform. Your company’s policy should clearly define what data is valuable, who should have access, how to process that information and, of course, what to do with it when things aren’t working correctly.

Or for those companies with point-of-sale (POS) systems, how do employees make sales when your POS system is down? A security consultant friend of mine recently asked this very question during an audit. She learned that when credit card readers failed, they resorted to paper imprints — a reasonable, low-tech solution. Unfortunately, further investigation led her to a back closet stacked to the ceiling with boxes full of paper credit card receipts.

So often, it isn’t that someone within an organization was careless or even malicious. Frequently bad things happen when someone tried to make a good decision in the absence of well-defined policy. It’s in those temporary “oops” moments when something breaks.

One of my clients is still dealing with the legal ramifications of losing track — over four years ago — of a spreadsheet that contained the names, addresses and social security numbers of every employee who ever worked for the company. Every link in the chain that supports your business functions as a potential entry point for a would-be attacker — even those that might feel like trivial documents or steps at the time.

Who’s on First?

The system or network administrator who also ‘wears the security hat’ is a cliché whose time has ended. If you don’t have at least one person who is dedicated to not only thinking about your company’s security, but is also empowered to take actions to implement it, you’ve got a problem.

Unfortunately, the skill set required to build effective layered security infrastructure does not often overlap with that of a good sys admin. It’s not their fault; it’s just not part of their expertise. They want to do a good job but don’t have the experience required.

Effective security involves understanding your baselines of performance, continually monitoring against those baselines and producing well-defined (and well-rehearsed) responses to aberrant activity. This frequently means that your NOC, sys admins and other operations personnel must know what to look for and what to do when something seems out of place. Ultimately, it’s a team effort but one that must be overseen by someone with the know-how.

Clear Today – But What About Tomorrow?

Sometimes good security simply comes down to allocating the right resources and training for your staff. By nature, emerging threats are constantly evolving. It does not make sense to hire a security engineer or security team and assume they will stay abreast of all the things that are happening. Even if they spend half of their workweek reading articles and studying exploit techniques, they’re not going to catch it all.

For example, some of the most valuable training I seek out involves learning about novel techniques for exploiting the entire system. This lets me reinforce the things I’m doing right and think about things I could be doing better.

If you don’t currently, set aside funding and time for your security personnel to go to conferences and other training opportunities. It’s not just about hitting the tables in Las Vegas for Black Hat or DEFCON. It’s about ensuring your staff has the resources and opportunity to stay one step ahead of tomorrow’s biggest threats.

Sure your staff will thank you — but I promise your customers will thank you too.