Wednesday, June 6, 2007

Back from the dead ... and more concerned than ever!

So this blogging is harder to keep up with than I expected. I can't believe it's June already. Let me catch you up quickly on the last month:
  • My company has gone through significant growth - our unique approach to security and risk assessments has really caught on and we're hiring people as quickly as we can find them. If you're a CISSP or have a similar background, please call me!
  • I have attended several regional trade shows and conferences over the past month. Some were security related, but most were not. As a result, I have spent a lot of time talking with people who are not "security experts".
  • I have also spent significant time speaking with IT directors and leaders in local and regional government bodies.

And after a month of talking and listening, listening and talking, here's what I see:

  • Everyone seems to accept that security issues are real and that they are at risk.
  • If you haven't been breached, the risk you're under is acceptable. I would be a rich man if only I had a dollar for every version of, "it won't happen to me" that I have heard.
  • The security threats - particularly in the area of social engineering - are becoming more prevelent and are attacking smaller and smaller organizations. I recently ran into the president of a company in rural Pennsylvania - Amish country - whose A/R person was deceived into giving away banking information. They are a 24 person company.

Folks - what's it going to take?!?! At some point, this is going to become irresponsible behavior to keep ignoring these issues. (In fact, California is currently considering forcing companies who have been breached to cover all costs for consumers and businesses who have to deal with their information being compromised)

This blog REALLY isn't intended to be a commercial for my company. But it drives me crazy that we have the resources and ability to help protect you, your company and your customers - but you won't let us. (obviously, I don't direct that to our customers - you guys I love!) :-)

I know this sounds like a rant - and it is - but it's also a plea. As a business owner, you have a responsibility to protect your customers. Do the right thing. Your I.T. people don't have the depth - trust me - they don't. It's not their fault - I'm sure they do a great job keeping the business running. But security is a full time job and they just don't have the time.

So bring in a professional organization. If you don't like me or Pervasive Solutions - no problem. I'll even recommend some others for you if you want. But find someone you can trust and have them help you. At a minimum, here are the things you should be doing every 9 - 12 months:

  • End-user security awareness training: help your employees understand the importance of security and the threats that they may face.
  • External network vulnerability assessment: find out what risks exist on your network
  • Network and server configuration assessment: help your I.T. team build security into your infrastructure instead of trying to bolt it on afterwards
  • Policy & procedure review: establish and review your security policies and procedures, both for your I.T. team and your company as a whole, to set expectations and protect the company from compliance and litigation risks

I know these may sound like a lot. But I assure you, they aren't. For only a few thousand dollars per year, you can cover 80% of your risk with just these four steps. Certainly, I would suggest that you eventually conduct complete, thorough security and compliance risk audits which will dig deep. But don't worry about that now. Just do the basics. If you do, you'll be ahead of your peers who are still burying their head in the sand.

It's like the old joke, "if we get chased by a bear, I don't have to outrun the bear - I just have to outrun you." Make your company a smaller target - sure, you'll still be a target - but there will be bigger targets all around you.

2 comments:

Gary said...

Josh, security awareness done even as "often" as every 9-12 months is a waste of time. Like any advertising campaign, awareness is best run as a continuous ongoing background activity, gradually increasing employees' recognition and appreciation of information security risks and their obligations. Eventually, as the information security "brand" starts to register, you'll find you've created a security culture where people consider security more or less without thinking about it, and bit-by-bit their behaviours change (pure awareness is only the start!).

Kind regards,
Gary

Josh Bouk said...

I absolutely agree with you, Gary. However, for small and mid-size companies that don't have internal staffs currently capable of driving a continuous awareness program, I would suggest that this is a reasonable alternative.

Let's face it. If you have a 150-person manufacturing company, you don't have a CISO. Your IT person is probably someone who came from the shop floor at one point and manages to just keep things up and running. For such a company, having a trusted vendor come in periodically to help improve their security awareness and posture is the only real option for them - and in my experience, 9 - 12 months is about as often as that business owner will tolerate.

In the ideal world though, you are absolutely correct. A well-designed awareness program is a continuous program that blends with and influences the culture.

Thanks for your comments! Please keep them coming.

Josh