I don’t do this too often, but I’d like to recommend a specific whitepaper from ArcSight (Full disclosure: I have no reciprocity with them whatsoever).
It’s available here, and requires registration. The paper is World-class protection for the mid-size organization.
The paper makes valid, timely, points that in a networked world, we suffer threat – if not outright breaches – from malware, viruses, etc. I can throw in malicious botnets, human error, mistakes in judgment, and so forth; all the while, organizations face increasing regulation and associated penalties. The vulnerabilities mount – and will continue to mount. Velocity of risk, anyone?
The article mentions, likely accurately, that most SMB (small-and-medium-business) do not have large dedicated security staffs – and what security staff does exist, is declining. And yet, the SMB enterprise has the same security burdens as their “larger brethren” – the securing of financial information, private customer data, intellectual property… et al., with the same legal and compliancy responsibilities.
I agree with all of that, but I offer something a bit unique (and have done so in the past, and will continue to do so). Make everyone in the organization a security officer. Technically, not an actual Security Officer, but rather people with an elevated awareness of security in general, and with specific knowledge of your organization’s security expectations, practices, regulatory burdens, and so on…
Can you do that? Is it possible to train employees to elevated standards of security?: To the focus, activity, care and results of strict security practices and measures?
The answer is not only “Yes” – the answer is “You have no choice.”
For small business – where money is tight, tight, and also oftentimes tight – find a smart, dedicated and ambitious employee to take on Security as an Additional Duty. Have that person develop a training plan, for awareness and prudent activity, as a start. Then, begin delivering Security Awareness Training – find your “affordable” schedule… monthy? Quarterly? Semi-annually? When and how often can you spare people for training attendance?
For medium business, you really need a dedicated security person, or personnel, with the attendant training and awareness. Larger enterprises already have an infrastructure of a department and associated activity – or you’d better, if you have any clue at all.
But for SMB and large enterprises, the most provocative idea is to make everyone a security officer: It becomes second nature for employees to screen every activity through a security prism: “I’m about to send information: To whom am I addressing it? Are all authorized to see it? Is my conduit for transmission secure enough?” Just as one qualifier of one activity…
Train every employee to have this regularized assessment going on for all activity, all handling of data, every customer touch, every vendor interaction, etc.
Today, the more complex and comprehensive the enablement, the larger any vulnerability’s window and subsequent impact. With new velocity of risk, scales of harm, and delivery of harm, whether deliberate or through human error, problems manifest with much more wide-spread impact.
Vulnerabilities must be managed, in providing protection from harm: In the realm of risk, unmanaged possibilities become probabilities. Probabilities always manifest.
Today’s total business reliance on comprehensive technical enablements requires provocative protection.
NP: Swinghouse – Gerry Mulligan / Chet Baker – Jazz24.org