It’s often been said that the first step in effectively dealing with a problem is admitting that you have one.
IT security is certainly a problem, even for small businesses. While not every company has sensitive corporate secrets to worry about, businesses are still responsible for protecting the employee, customer and partner information on their computers. As the business world becomes ever more tightly networked, companies need to ensure that security holes in their own IT infrastructure don’t offer intruders a back door into the systems of partners and suppliers. And there’s always the chance that insiders could abuse the company’s trust and exploit poorly protected IT systems for profit or revenge.
But admitting your company may be exposed to an unacceptable level of risk is one thing and knowing what to do about it is quite another.
That’s not a new conundrum. Companies of all sizes struggle to understand IT security in terms of what the danger is and what to do about it. Confusion and concern abounds, because the advice a business may receive about security can come from all directions and many sources. Vendors are selling all sorts of products with a variety of built-in security features, but these features may hinder more than help. Do you know how to manage these tools? Your company might need some consulting help to figure out what you need to do, but can you afford that often high-priced help?
It’s all quite confusing and sometimes overwhelming.
Then there are the internal issues to tackle, since the danger of outside threats pale by comparison to what insiders can do. Do you have the time to educate your employees, design a corporate security policy and revisit that policy regularly? What should go in that policy and who should author it?
Add to all of this the fact that nobody has all the answers and you can never let your guard down. Security is really a people problem rather than one to do with technology, and dealing with it effectively is a never-ending process. You need to continually invest and reassess. Once you’ve tackled one thing and moved onto another, you’ll end up back revisiting that first thing you dealt with because elements of your business or issues related to security itself constantly change. Nothing to do with security seems straightforward – or easy.
But don’t feel alone. Big businesses, too, are often confounded when it comes to knowing what to do and how much to invest. And they typically have much bigger IT security problems. Besides being much more likely targets for hackers and intruders, many, by virtue of the industries in which they are associated – such as banking, health care, government – and the countries they do business in, are forced to spend on security in order to be compliant with all sorts of legislation and regulations, such as Sarbanes-Oxley and Canada’s own privacy laws. In fact, many market research companies in Canada are examining how enterprise businesses spend IT dollars, and they’re finding that security has become the greatest priority for these organizations. IDC Canada estimates Canadian businesses spent more than $765-million on IT security last year.
That’s a lot of money when you consider that many of these companies really don’t know where to spend those dollars effectively or even how to approach IT security in the first place. Many organizations leave themselves vulnerable because they go out looking for a solution without really understanding the problem. They know they need security, but they don’t take the time to stop and ask themselves specifically what must be protected.
This is where smaller companies should adopt the approach taken by their larger peers. Smart enterprise corporations usually begin by performing what’s called a risk assessment to determine what they need to do and how much is appropriate to spend. A risk assessment can be a large undertaking involving time, expense and maybe even some outside consulting, but it doesn’t have to. The basic guiding principles of risk assessment are fairly simple and may be enough to at least send smaller companies down the right path, and save them a lot of money in the long run.
Risk assessment considers three key elements:
— Assets. These are things within your company that have value and therefore must be protected. Typically these might be tangible things like computer systems and business information/data, or less tangible assets like company’s reputation. It’s important to determine a monetary value do these things.
— Threats. These are the actual methods and means that might be used to infiltrate or compromise IT systems and business resources. Threats may include malicious persons or groups, careless employees or other individuals who may have access to corporate IT information or resources, and random events or natural disasters.
— Vulnerabilities. Here a company assesses the likelihood that a security breach or other incident may occur, as well as where and how. Are systems locked down? Are networks secured? Are passwords being generated properly and changed regularly? The challenge is to consider the threats to which assets are vulnerable and classify the effort required by a threatening agent to mount an attack – is a breach highly likely, not probable or something in between?
The good security news about risk assessment is that only when all three conditions exist should a business make security investments. The bad news is all three conditions usually exist somewhere in most companies’ operations. Most every company has assets of value that are vulnerable to threats and need to be protected.
Still, a risk assessment helps companies determine what’s most important and how much they should probably invest in order to minimize the threat to these precious and not so precious corporate jewels. It helps to determine where security dollars might be most wisely spent – more significant investment for valuable corporate data that’s shared inside and outside the company versus much less for those easily replaceable things or assets where it might not matter whether a compromise occurs, for example.
These guiding principles of risk assessment are a small step, but one that can be a giant leap in the effort to minimize the bad things that can happen when your company’s IT and corporate assets aren’t so secure.
This article appeared in The Globe and Mail on May 12, 2005.