The Key to Information Security Success
Q: What security initiatives will have the biggest impact on my business?
A: I often speak with individuals and management teams about the pros and cons of particular security initiatives. Those responsible for security today are often inundated with information on the topic. They see all the hype around the products, read the headlines of rising concerns and hear plenty of predictions about what is next. It's not hard to see why some just want to know what to do now and what will have the biggest impact.
Most companies I've spoken with have identified and implemented many of the common technologies important to any security program. They have a firewall, antivirus software, intrusion detection/protection, authentication technologies and so on. However, what continues to concern me is that these systems often go untested and unmanaged and therefore create a false sense of security.
So while some companies would benefit from knowing what security devices to implement, for many, the most valuable recommendations are regarding procedures. In many circumstances, companies still fail to realize that a security program is just the beginning. All too often, monitoring and assessment responsibilities are either overlooked, underfunded or just not done properly.
Security audits are one of the best ways to identify security risks and validate the protection devices already put into place. Additionally, they're an invaluable resource for justifying security budgets. However, many companies today fail to perform regular comprehensive audits of their internal and/or external IT infrastructure. And those that do perform audits often just test the externally exposed devices or only have high-level audits performed to ensure the above mentioned "common technologies" are being utilized. Comprehensive audits, however, should thoroughly test for all known vulnerabilities of all systems, correlate the findings, test exploits, identify the true level of risk to the business and detail remediation requirements. Audits properly performed with all these procedures by a reputable firm are in fact one of the most important initiatives you can undertake today.
One of the reasons why security audits top my list is that they lay the groundwork for identifying what is needed to secure the IT infrastructure. In addition, they provide objective insight on the effectiveness of your overall security program. Such audits should be performed at least once per year against the internal environment and every six to 12 months against the external environment. This frequency is a suggested minimum, and many companies rightfully prefer to test certain aspects of a full audit more frequently.
One of most common and major security flaws I come across is that companies don't properly monitor their security protection devices: the firewall, intrusion detection/protection, antivirus, operating system logs and the like. Security management doesn't simply mean performing maintenance and administration; it involves consistent monitoring and the evaluation of events that happen on a daily basis. Yes, these tasks are mundane and generally resource-intensive. During a time when network/security administrators are already busy with other tasks, these activities are often overlooked. However, if this data were being monitored and if security events were being properly evaluated and acted upon, the vast majority of hacking-related events could be prevented.
In most cases, with proper monitoring and reaction, businesses would not have to endure forced system outages, data loss or theft, virus outbreaks, Web site defacement or even the negative publicity that accompanies these and other such events. It's not an easy or inexpensive task if performed internally. However, recent advances in security management software have reduced the security personnel requirements to perform these responsibilities. In addition, several reputable Managed Security Service Providers (MSSPs) have emerged with service offerings to outsource these tedious tasks. Outsourcing security monitoring and response can be a highly cost-effective method of dealing with this problem. It's predicted that the vast majority of companies will be outsourcing this area of security in the next few years.
Another commonly overlooked item is your security policy. Every company should have some form of an information security policy in place and provided to every employee. Security policies provide a roadmap for both IT and non-IT personnel on how the company expects them to conduct themselves with any matter that affects the security posture of the business. In many cases, the actions have an obvious impact, such as the disclosure of logon account information to unauthorized personnel. While some policies are clearly security-related, other policies may be less obvious in terms of their impact to security risks to non-IT employees.
An important point to consider is that an information security policy reflects the company's stance on security in general. If no security policy exists or very little effort has been made in this area, it can be considered a direct reflection on the overall security posture of the business as a whole. This in itself can increase the likelihood of a company becoming a target and/or a victim.
Several excellent books on the topic of information security policies exist today, making it easy and cost-effective to set up a basic policy. In addition, there are plenty of security consulting firms that can assist with more detailed policies.
Michael Bruck is the founding partner of BAI Security, an 8-year-old information security consulting firm. Bruck leads his security team with a successful 16-year background in IT management and senior engineering positions. He is also the developer and author of best practices that are becoming standards in the information security consulting business. He can be reached via www.baisecurity.net or by e-mail at email@example.com .
The opinions expressed in this column are those of the author, not of Entrepreneur.com. All answers are intended to be general in nature, without regard to specific geographical areas or circumstances, and should only be relied upon after consulting an appropriate expert, such as an attorney or accountant.