Wednesday, June 6, 2007

Back from the dead ... and more concerned than ever!

So this blogging is harder to keep up with than I expected. I can't believe it's June already. Let me catch you up quickly on the last month:
  • My company has gone through significant growth - our unique approach to security and risk assessments has really caught on and we're hiring people as quickly as we can find them. If you're a CISSP or have a similar background, please call me!
  • I have attended several regional trade shows and conferences over the past month. Some were security related, but most were not. As a result, I have spent a lot of time talking with people who are not "security experts".
  • I have also spent significant time speaking with IT directors and leaders in local and regional government bodies.

And after a month of talking and listening, listening and talking, here's what I see:

  • Everyone seems to accept that security issues are real and that they are at risk.
  • If you haven't been breached, the risk you're under is acceptable. I would be a rich man if only I had a dollar for every version of, "it won't happen to me" that I have heard.
  • The security threats - particularly in the area of social engineering - are becoming more prevelent and are attacking smaller and smaller organizations. I recently ran into the president of a company in rural Pennsylvania - Amish country - whose A/R person was deceived into giving away banking information. They are a 24 person company.

Folks - what's it going to take?!?! At some point, this is going to become irresponsible behavior to keep ignoring these issues. (In fact, California is currently considering forcing companies who have been breached to cover all costs for consumers and businesses who have to deal with their information being compromised)

This blog REALLY isn't intended to be a commercial for my company. But it drives me crazy that we have the resources and ability to help protect you, your company and your customers - but you won't let us. (obviously, I don't direct that to our customers - you guys I love!) :-)

I know this sounds like a rant - and it is - but it's also a plea. As a business owner, you have a responsibility to protect your customers. Do the right thing. Your I.T. people don't have the depth - trust me - they don't. It's not their fault - I'm sure they do a great job keeping the business running. But security is a full time job and they just don't have the time.

So bring in a professional organization. If you don't like me or Pervasive Solutions - no problem. I'll even recommend some others for you if you want. But find someone you can trust and have them help you. At a minimum, here are the things you should be doing every 9 - 12 months:

  • End-user security awareness training: help your employees understand the importance of security and the threats that they may face.
  • External network vulnerability assessment: find out what risks exist on your network
  • Network and server configuration assessment: help your I.T. team build security into your infrastructure instead of trying to bolt it on afterwards
  • Policy & procedure review: establish and review your security policies and procedures, both for your I.T. team and your company as a whole, to set expectations and protect the company from compliance and litigation risks

I know these may sound like a lot. But I assure you, they aren't. For only a few thousand dollars per year, you can cover 80% of your risk with just these four steps. Certainly, I would suggest that you eventually conduct complete, thorough security and compliance risk audits which will dig deep. But don't worry about that now. Just do the basics. If you do, you'll be ahead of your peers who are still burying their head in the sand.

It's like the old joke, "if we get chased by a bear, I don't have to outrun the bear - I just have to outrun you." Make your company a smaller target - sure, you'll still be a target - but there will be bigger targets all around you.