By Neal O'Farrell, Think Security First
Although cybercrime has reached epidemic levels in only the last five years, cyber security has been around for more than thirty. And in those three decades security experts have learned valuable security principles that can be successfully applied to any business, big or small.
In this article I'll take you through some of the most fundamental and accepted security principles; thoughts you should be able to apply to your business and personal life every single day.
Security is like profit. It's not an option
Cyber security is now so fundamental to business it must be a priority for any business. Corporate leaders increasingly cite security as "Job One" without which all other business processes and goals are at risk.
Think Security, First and Always
Security works best when it's instinctive. Learn to think security first into every business decision, into every relationship with customers, employees, and partners, and into every action. Whether it's thinking before you send an e-mail, open a document, or deploy a technology, pausing to reflect on the security implications first is a big step to better security.
Focus On What Matters Most
It's impossible to protect everything all the time. The key to manageable security is protecting what matters, to your business and to your customers. It's important to identify the resources and assets that your business depends upon, and which your customers trust to your care. By focusing your greatest efforts and resources on critical assets, you won't have to waste time protecting assets that no-one wants to target anyway.
Think Like An Attacker
Chances are you'll never actually get to meet the hacker, identity thief, or virus author that attacks you. But that shouldn't stop you from getting to know them. Most attackers follow similar patterns, use similar methods, exploit similar vulnerabilities and are driven by common motives.
The more you understand about these methods and motives the better able you'll be to build the appropriate security. While there are more than 1.5 million variations of computer viruses and other malware in circulation, most of them follow the same design, work the same way, and depend on the same weaknesses in your security. You only need to understand viruses in general to understand 99% of them.
A Little Knowledge Is Not A Dangerous Thing
As with any business or technical endeavor, the more you know, the more it shows. Take some time to learn about cybercrime, why so many businesses are vulnerable, and what they've done to fix the problem. You don't have to become an expert, or learn any new skills. But the more lessons you can learn from the experiences of other businesses, the easier it should be to develop a security strategy that will stand up when it's tested.
Security Never Stands Still
When it comes to security there's no such thing as "set-and-forget." Security is just as dynamic as business, and every day brings a new challenge, a new lesson, and a new crime. That's why professional security managers are constantly testing and reevaluating their security strategies, procedures, and assumptions.
Every new technology you use brings with it a host of potential new threats. Every employee you hire, and every customer you win, has the potential to introduce a new security problem. And every business decision you make will have some impact on your overall security.
Any security strategy is only as good as it's up-to-date, and the only way to ensure it's up-to-date is to review and revise constantly.
Good Security Has Many Layers
Good security consists of many layers, each one designed to make it harder for an intruder to launch a successful attack, and encourage the attacker to give up and try elsewhere. Those layers include physical, technology and administrative layers, each one consisting of multiple security components.
For example, technology layers should include firewalls, anti-virus, encryption, and access controls. Physical layers should include good office security, good security at home offices, and even locking computers to desks.
Administrative security should include proper policies, a regularly updated security strategy, employee awareness training, and constant vigilance. When you combine these concentric layers of security, starting at the external perimeter (like your connection to the Internet) and continuing to the innermost layer (controlling access to your data), you stand a very good chance of frustrating attackers enough to make them simply give up.
And don't forget to use multiple layers within layers. Firewalls on Internet connections should be backed up by another layer of firewalls on sub networks. Access authorization to a network should be backed up by more access control to any computer on the network.
Make Security A Core Part Of Business Strategy.
Security comes before revenues and profits because without adequate security, everything else, from profits to business reputation, is compromised.
Small business owners must make security a core part of their overall business strategy, and accept it as a key enabler for future business.
Security Is Everybody's Responsibility
Cybercrime is everybody's business. Attackers always look for the weakest link, and often that's the person who's least aware of the security risks. Every employee in your business, including the entire management team, has a role to play in security. Regular security awareness sessions should be held, at least once every three months, to keep lessons fresh and vigilance sharp.
Security awareness goes beyond your employees, and includes any family members who use computers that may have access to your business. That access could be a direct connection to your network, or simply use of a home computer for business purposes.
And don't forget to spread the security message to your suppliers and partners. They can often be targeted as a point of access into your business, and you'll be doing them a favor by reminding them of the importance of awareness and vigilance.
Good Security Is Good For Business
A number of studies have shown that the fear of cybercrime is still a major reason why customers are reluctant to do business online. This view is especially prevalent among consumers who purchase from small business web sites.
Consumers usually have insufficient security knowledge to assess the security of a site they want to purchase from. Most consumers also understand that small businesses tend to be very lax about security, and often don't have the will, commitment or resources to take the security measures that are needed.
Any small business owner who takes the proper precautions has the opportunity to turn this security awareness into a competitive advantage by using it to reassure worried customers that security is a priority, and that any transaction with your company through your web site is a risk-free one.
A focus on security can also be a comfort to your bigger customers, many of whom see small business partners as a potential vulnerability over which they have no control. Give your customers the comfort they need to do more business with you by addressing their security concerns, and demonstrating your commitment to their protection.
Security Is About Filling The Gaps
Cybercrime is about exploiting gaps - finding and exploiting known holes or vulnerabilities, of which there are usually many. It makes sense therefore that a key focus of security must be on identifying the obvious and not-so-obvious gaps, plugging them first, and patrolling them often to ensure they are not being breached.
It may sound like a lot of work but in practice it's relatively simple. For example, one of the most common vulnerabilities in any organization is poor password practices. That usually means passwords that are too easy to guess, or passwords that are not properly protected.
The solution is a policy that ensures employees don't create vulnerable passwords, take appropriate precautions to make sure no-one else finds that password, and understand the consequences if they ignore that policy.
Security Is About The Behavior Of People
Despite the focus on technology in security, cybercrime is mostly about people. The criminals are real people with real motives. And most of their attacks depend on the predictable behavior of other people; in particular the management teams that make the decisions about security; the technical staff who often fail to take proper precautions; and the employees whose predictable and careless behavior creates even more vulnerabilities.
While technology plays a key role in security, don't underestimate or undervalue the role of people. You have little control over the behavior of cybercriminals. But you do have control over the behavior of employees and technical staff. Use that control to persuade attackers that you're not vulnerable and not worth their time and effort.