1) security is an onion. It requires layers to be effective. If you're putting all of your defenses into the latest-and-greatest firewalls and ignoring the internal network with proper network segregation, IDS, HIDS, logging, and other management, then you will definitely lose your ass whenever the bad guys show up. They will show up.
2) Security training is crucial to companies, but one of the most overlooked aspects of a complete security platform. Train your people, perform red team exercises, keep them wary and alert. Post reminders, emails, Drill them. They are your first line of defense.
3) I'm not a fan of BYOD. Never have been. I'm assisting one client reviewing packages, but I feel that using alien systems on a secure network blur the line too much for me to be comfortable with it. Corporate security should be a bright, strong line between "inside" and "outside". It should not be any shades of gray.
4) "Defending against DDOS" is like "keeping dry in the middle of the ocean". Keeping a working relationship with your upstream providers is good. Moving your web platform off to a big player like Akamai or Cloudflare can definitely help here. Pricy, but it can keep critical systems up.
I'll reiterate point 1 some more. Security really is an onion. You can't plug security into the wall, hit the 'start' button and mark a checkbox on a form. It's an entire program which has training, change control, processes and procedure, intrusion detection, AV, file change monitoring, and a dozen other items in place and functional. Sadly, a lot of companies ignore critical components due to the time, efforts, or price tag involved.
1) security is an onion. It requires layers to be effective. If you're putting all of your defenses into the latest-and-greatest firewalls and ignoring the internal network with proper network segregation, IDS, HIDS, logging, and other management, then you will definitely lose your ass whenever the bad guys show up. They will show up.
2) Security training is crucial to companies, but one of the most overlooked aspects of a complete security platform. Train your people, perform red team exercises, keep them wary and alert. Post reminders, emails, Drill them. They are your first line of defense.
3) I'm not a fan of BYOD. Never have been. I'm assisting one client reviewing packages, but I feel that using alien systems on a secure network blur the line too much for me to be comfortable with it. Corporate security should be a bright, strong line between "inside" and "outside". It should not be any shades of gray.
4) "Defending against DDOS" is like "keeping dry in the middle of the ocean". Keeping a working relationship with your upstream providers is good. Moving your web platform off to a big player like Akamai or Cloudflare can definitely help here. Pricy, but it can keep critical systems up.
I'll reiterate point 1 some more. Security really is an onion. You can't plug security into the wall, hit the 'start' button and mark a checkbox on a form. It's an entire program which has training, change control, processes and procedure, intrusion detection, AV, file change monitoring, and a dozen other items in place and functional. Sadly, a lot of companies ignore critical components due to the time, efforts, or price tag involved.