An Executive Overview of Business Security

“We live in an age that is driven by information. Technological breakthroughs… are changing the face of war and how we prepare for war.”

-former U.S. Secretary of Defense, William Perry

The cold war was political. It’s over. World War III is an economic war. It’s here – it’s now. Information is where the money is and theft is easy, safe, and lucrative. Eavesdropping and other high tech relat­ed crimes are difficult to enforce and prove. Advancements in electronics and optical electronics have made communi­cations interception easy and cheap. Business ethics don’t have the same value as they did in the good old days of the “deck of punch cards” computing. Read on for an executive overview of business security.

Business Security and Risks

IT and business security is becoming more and more critical in today’s commercial environment. Every day we are faced with new computer risks, viruses and new “ideas” from hackers on how to gain ac­cess to our network or other systems or physical locations. Fortunately, even more sophisticated business solu­tions can be implemented to secure us from these dangers. These can be anything from simple firewalls up to very expensive encryption and biometric authentication solutions or remote com­munication modules. These new business realities affect you as much as it does your competitor – no matter what your line of business. The question is how can you protect your organization, no matter how large or small, from the known and unknown security dangers and risks to remain as competitive, and therefore profitable as possible?

What about all the other business risks that are also getting more sophisticated? Have you considered all the risks that cannot be covered by technology? What about the human side of business? No business can function without the human touch. Yet how do you know when that necessary “human touch” is about to reach out and touch you in the form of an “insider” attack? Have you thought about your employees behind the technology? How about social re-engineering forces or disgruntled employees? When did you have your last corporate risk assessment completed or even considered if ever?

Consider the consequences

As a person you face the unknown several times a day without giving it a second thought. We’re used to preparing for the unexpected. You pur­chase insurance your car, carry health insurance and life insur­ance because you know it is the smart choice for your family. You follow the rules of the road when you drive because you know it is the safest option. Unfortunately, with many business risks there is no “red light, green light” to tell us when to stop or go. But how can you adequately apologize to your clients when you have to let them know that a hacker posted their credit card information on the hacker’s website? Have you given your business or organization the same degree of consideration to how your customers and employees will still depend on you in the event of the unexpected?

If you’re like the Senior Executive or owner of most companies, the answer may be a frightening “No, we have never had any comprehensive business risk assess­ment completed.” Or worse yet, perhaps you have a false sense of security in a plan that was developed several years ago. You might assume, “Investing in a security and privacy solution is expensive. It’s too expensive for our organization or business right now.” But can you afford to spend more than 15 times the cost of preventing a security breach or a communications breakdown when the unforeseen does in fact hap­pen?

What can be done?

Proactively preparing your busi­ness with a comprehensive security as­sessment and plan is far less expensive. According to David Bauer, first vice pre­sident, chief information security and privacy officer at Merrill Lynch, a key component of any strategy is a dynamic risk assessment. By using tools such as scanners, log analysis, risk metrics and asset inventory that produce a biweekly security report you can more quickly analyze and prioritize current or poten­tial threats. This approach allows organi­zations to move from a circle-the-wagons approach to intelligent risk management.

With an intelligent risk manage­ment solution the percentage of the IT budget that needs to be spent on effective risk protection is actually far less than what your competitors will be forced to spend. The answer is not about how much you spend but how well you spend it. Part of the spend­ing is advisory and helping build secure systems. The rest of the budget goes toward risk management, prevention and response. For instance, obtaining someone’s password is simple, so the potential harm caused by an individual must be minimized.

Security awareness is for everyone

As an illustration, William Farrow, CIO at the Chicago Board of Trade, told how a woman cleaning a conference room be­came suspicious of a laptop left running overnight. She reported it to security, and it was discovered that the laptop was running port scanning software aimed at penetrating the corporate computer network. In this case even an employee at the lowest level of the corporate structure was aware of the potential damage that could be done to the organization with a security breach. In corporate or IT security, emotional reactions, panic and legislation are counterproductive. But intelligent approaches can safe­guard your organization or business from an uncertain future and substan­tial financial losses.

If you ask CEO’s who have gotten even low-level employees to be savvy about security, you get advice on employee education: “Make it a part of daily conversation in every project meeting. Make it clear that every project has responsibility for security. You have to make it part of day-­to-day operations.” With this in mind, adherence to clear­ly defined security principles should be a part of each employees contract. It is also important to publicize employee­-caused security incidents internally, not necessarily naming the employee who made a mistake, but doing it in a way that others learn from the error. Those organizations or businesses that have evolved a system of process improve­ment as a natural consequence of their business demands are those organiza­tions or businesses that will excel and win the security wars.

What will set your organization apart?

The main key be­tween companies that have implement­ed a dynamic security plan and those who have not is: preparation. Prepara­tion requires a focus on risk manage­ment, intelligence-driven identification, prevention and response. A good organizational or business security strategy is built around these princi­pals:

  • Threat management, including in­telligence, planning and instant re­sponse;
  • Comprehensive security services;
  • Attention to public policy, in­cluding active attempts to educate leg­islators; and
  • An agile response to the changing risk environment.

After all, as we know, an intelli­gent security response needs to be everyone’s responsibility. Ultimately, what matters the most is not always limited to technology and IT se­curity.

 

By Dasha Deckwerth

www.stealth-iss.com

Related Posts

Scroll to Top