“We live in an age that is driven by information. Technological breakthroughs… are changing the face of war and how we prepare for war.”
-former U.S. Secretary of Defense, William Perry
The cold war was political. It’s over. World War III is an economic war. It’s here – it’s now. Information is where the money is and theft is easy, safe, and lucrative. Eavesdropping and other high tech related crimes are difficult to enforce and prove. Advancements in electronics and optical electronics have made communications interception easy and cheap. Business ethics don’t have the same value as they did in the good old days of the “deck of punch cards” computing. Read on for an executive overview of business security.
Business Security and Risks
IT and business security is becoming more and more critical in today’s commercial environment. Every day we are faced with new computer risks, viruses and new “ideas” from hackers on how to gain access to our network or other systems or physical locations. Fortunately, even more sophisticated business solutions can be implemented to secure us from these dangers. These can be anything from simple firewalls up to very expensive encryption and biometric authentication solutions or remote communication modules. These new business realities affect you as much as it does your competitor – no matter what your line of business. The question is how can you protect your organization, no matter how large or small, from the known and unknown security dangers and risks to remain as competitive, and therefore profitable as possible?
What about all the other business risks that are also getting more sophisticated? Have you considered all the risks that cannot be covered by technology? What about the human side of business? No business can function without the human touch. Yet how do you know when that necessary “human touch” is about to reach out and touch you in the form of an “insider” attack? Have you thought about your employees behind the technology? How about social re-engineering forces or disgruntled employees? When did you have your last corporate risk assessment completed or even considered if ever?
Consider the consequences
As a person you face the unknown several times a day without giving it a second thought. We’re used to preparing for the unexpected. You purchase insurance your car, carry health insurance and life insurance because you know it is the smart choice for your family. You follow the rules of the road when you drive because you know it is the safest option. Unfortunately, with many business risks there is no “red light, green light” to tell us when to stop or go. But how can you adequately apologize to your clients when you have to let them know that a hacker posted their credit card information on the hacker’s website? Have you given your business or organization the same degree of consideration to how your customers and employees will still depend on you in the event of the unexpected?
If you’re like the Senior Executive or owner of most companies, the answer may be a frightening “No, we have never had any comprehensive business risk assessment completed.” Or worse yet, perhaps you have a false sense of security in a plan that was developed several years ago. You might assume, “Investing in a security and privacy solution is expensive. It’s too expensive for our organization or business right now.” But can you afford to spend more than 15 times the cost of preventing a security breach or a communications breakdown when the unforeseen does in fact happen?
What can be done?
Proactively preparing your business with a comprehensive security assessment and plan is far less expensive. According to David Bauer, first vice president, chief information security and privacy officer at Merrill Lynch, a key component of any strategy is a dynamic risk assessment. By using tools such as scanners, log analysis, risk metrics and asset inventory that produce a biweekly security report you can more quickly analyze and prioritize current or potential threats. This approach allows organizations to move from a circle-the-wagons approach to intelligent risk management.
With an intelligent risk management solution the percentage of the IT budget that needs to be spent on effective risk protection is actually far less than what your competitors will be forced to spend. The answer is not about how much you spend but how well you spend it. Part of the spending is advisory and helping build secure systems. The rest of the budget goes toward risk management, prevention and response. For instance, obtaining someone’s password is simple, so the potential harm caused by an individual must be minimized.
Security awareness is for everyone
As an illustration, William Farrow, CIO at the Chicago Board of Trade, told how a woman cleaning a conference room became suspicious of a laptop left running overnight. She reported it to security, and it was discovered that the laptop was running port scanning software aimed at penetrating the corporate computer network. In this case even an employee at the lowest level of the corporate structure was aware of the potential damage that could be done to the organization with a security breach. In corporate or IT security, emotional reactions, panic and legislation are counterproductive. But intelligent approaches can safeguard your organization or business from an uncertain future and substantial financial losses.
If you ask CEO’s who have gotten even low-level employees to be savvy about security, you get advice on employee education: “Make it a part of daily conversation in every project meeting. Make it clear that every project has responsibility for security. You have to make it part of day-to-day operations.” With this in mind, adherence to clearly defined security principles should be a part of each employees contract. It is also important to publicize employee-caused security incidents internally, not necessarily naming the employee who made a mistake, but doing it in a way that others learn from the error. Those organizations or businesses that have evolved a system of process improvement as a natural consequence of their business demands are those organizations or businesses that will excel and win the security wars.
What will set your organization apart?
The main key between companies that have implemented a dynamic security plan and those who have not is: preparation. Preparation requires a focus on risk management, intelligence-driven identification, prevention and response. A good organizational or business security strategy is built around these principals:
- Threat management, including intelligence, planning and instant response;
- Comprehensive security services;
- Attention to public policy, including active attempts to educate legislators; and
- An agile response to the changing risk environment.
After all, as we know, an intelligent security response needs to be everyone’s responsibility. Ultimately, what matters the most is not always limited to technology and IT security.
By Dasha Deckwerth