Ralitsa Karamfilova, Strategic Development Manager at Lirex, on the most efficient path to ensure your cybersecurity
Ralitsa Karamfilova joined Lirex about 10 years ago, on positions like Sales Director and Marketing Manager. Two years ago she became the company's Strategic Development Manager, focusing on building a consistent vision and approach in Lirex's Marketing and Sales Departments and on the overall development of the company in the long run.
Nowadays cybersecurity is a key topic for businesses around the world. What is the best approach for a company to protect itself?
Organizations are different in terms of size, structure, business processes, IT infrastructure, and probably most importantly, the impact of risks they should mitigate vary. All this calls for different measures and careful initial analysis.
For example, two organizations depend on a critical business application. But should they implement the same security solution? The answer is: it depends on their IT infrastructure, its architecture and size, and on the sensitivity of the data.
With that being said, the best approach to security is holistic. It starts with a full assessment, good prioritization, selecting and implementing the most appropriate set of measures, checking if they work. We should also note that security measures should be evaluated from the point of view of creating administrative and operational hurdles and thus, a good balance between security controls, risk, and business operability should be pursued.
Can you give more details about the phases of this holistic approach?
Each company is at a different stage on the road to security. If I have to give simple steps to approaching security, though, it would start with a risk assessment – a complete and thorough analysis of the data and the relevant threats. And only then to start selecting the appropriate measures. Sounds like common sense but often risk assessment is done only partially, or organizations focus on technological measures only.
Simplified in steps, the process can be presented as answering the following questions:
Which business activities are crucial to your organization? This first step is often skipped. By asking it in this way we minimize the risk of excluding an important area.
Where is the data? Keep in mind that this includes data in transit as well.
What data aspect is most crucial? Availability, integrity, or confidentiality.
Which are the relevant threats for each activity and how likely they are to occur? It is important to consider all three types of threats: unintentional (hardware failure, human error), natural (flood, fire, etc.) and intentional (cyber-attack, malicious employee).
What are our priorities? Analyzing and ranking the risks according to all the info gathered.
After the assessment, we can start thinking about the right set of security measures to mitigate each risk. It is important here to include, in addition to technological measures, internal practices and procedures, and various activities like stress tests, penetration testing, employee awareness trainings, etc.
Finally, this process should be reoccurring in order to achieve continuous improvement and business continuity.
Central Office: Sofia, Mladost 3, block 306
phones: +359 2 9 691 691, +359 2 4 880 400