10 IT Security Tips for Midsize Business

I recently asked the following question on the IBM for Midsize Businesses group on Linkedin as a basis for discussion and a means to crowdsource some tips and best practices for IT security:

Security attacks often arrive unannounced, but a well established security plan and implementation can help mitigate these often costly situations. This discussion, however, aims to offer midsize business leaders guidance on how to protect their business, and their data.

The goal of this discussion is to crowdsource 10 steps midsize companies can take to protect their business – taking into account on-site AND their cloud computing environments. Securing the cloud can be a data center challenge, sometimes a software issue, and sometimes a data or device access issue. Your security tips will help create a list from the online community for the online community.

Thank you to all who participated in the discussion (full list below) which provided fairly detailed and specific recommendations for midsize business leaders to consider as they work to secure their enterprises.

As promised, here are the Ten Steps Midsize Companies Can Take to Protect Their Business:

1- Culture of security

We can start off with considering that security is as much a culture as a destination. For the most part, the only secure system is one that isn’t plugged in. And even then you can hack the hard drives, I suppose. The challenge is to strike the right balance between security, convenience and cost. It’s about education and human behavior as much as it’s about technology. And consider that most security breaches come from within. Many of our contributors maintained the sentiment that you should worry more about internal threats and stupidity than anything external.

2- Focus

Quite simply, not all systems within a business are created equal. Not everything has to be protected the same way. Budgets are limited for mid-size businesses, so take time to assess the value. Planning and risk assessment are an important aspect of the security equation. What are you trying to protect (sensitive data, at rest or in motion) and what critical business applications can you not do without for a period of time?

3. Zero to Secure

A common mistake is to try to go from zero to secure too quickly. Take the first steps first. Proceed with caution as each new security measure introduced into your enterprise must be weighed and integrated carefully and methodically.

4- To Cloud or Not to Cloud

Technology is not one-size fits all and clouds are not a panacea. With variations that include hybrid, public, private, clouds add complexity to an enterprise. Understand that not everything has to be in the cloud. Moving to cloud grants access to more sophisticated security (physical and digital), but your security scheme is only as strong as it’s weakest link.

If considering moving data and applications into the cloud, a risk assessment will allow you to understand where to focus your security controls and decide what is suitable for the cloud.

5- Keep The Keys To The Castle

Vet your cloud. Not all clouds are created equal. Make sure  your cloud service provider’s policies and controls align with your requirements (as well as your budget). And remember that no matter how good your service provider may be, the final responsibility — and accountability — for your enterprise is still yours. Maintain your own documentation, security controls and, where possible, do not give the encryption key to your cloud provider.

6. Passwords

This one deserves it’s own mention, both because it was mentioned so often and that it represents, in many respects, the first line of defense. Policies covering password complexity, identity management, two factor authentication, and even how often passwords need to be changed play a strong role in overall enterprise security.

7. Monitoring, Monitoring, Monitoring

No security system is proof against all threats. The sooner you know about a problem the more quickly you can act to limit damage. ’nuff said.

8. Backups

Wait, that’s data protection, not security, right? Wrong. Sometimes “break-in” scenarios may be targeting destruction rather than theft of data. Data recovery needs to be part of the security plan.

9. Endpoint Security

Anywhere your enterprise touches the outside world represents a threat. Whether it’s viruses, malware, malicious interlopers or simply script kiddies, be sure you cover the basics of endpoint protection. And don’t forget the perils of BYOD.

10. Don’t Just Trust It, Test It

Whether as in internal process or executed by third party, intrusion detection and penetration testing should be a staple in your security regimen. This should include both internal and cloud services. Many cloud service providers will supply reports of recent tests upon request. No security system is proof against all hackers. However, you should at least be sure what you’ve got stands up to professional scrutiny.

11. You’re Never Done

Security is a journey, not a destination.

Ok. My list goes to 11. Thank you Nigel Tufnel.

Thanks to all those who participated in this conversation. There were some really great comments and I couldn’t do justice to them all in a single summary post. Please be sure to read through the full discussion. Here they are (in order of participation): Geoffrey ColonHoward M. CohenAmrita ChandraKelly CraftAlan M BuckwalterDarren ArgyleMarcio Saito, Phil Neray, Ryan Berg, Phil Simon, Robert Whetsell, John Jacob, Derek Brink, Aarti Comstock, Fred McClimans, Mark Underwood, Phil HasseyKenneth HessAkram MohammadPetar LafchievAntonio David López Fuentes, Paul Williams, Leslie ReiserSanjeev Aggarwal, Stefan Ried, Wayne SpivakCharlie DanknerPhilip KiblerVimalkumar A.VFolkert Visser

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. 

Enhanced by Zemanta
  • CHopeMurray

    A very helpful 11 – all the better for the omission of any technical product or service. Security is a culture and a mindset, as much about how you operate and deal with issues as it is with software, hardware and solutions. I would only add that point #10 should be emphasized as a regular rather than a singular event. Disaster Recovery should be tested once a year and security more often (since security can be broken down into smaller, more discrete test cases).

    • Thanks, Colin. Testing is often considered an expensive luxury. But how do you know if all your planning and implementations work unless you test them?

  • Thoughtprovoke

    A small cloud will always be manageable because throughput is not an issue, but when you start designing solutions for larger sectors and groups of customers, speed and load are paramount, so streamlined coding and tools should be constantly fine tuned. I have some tricks, but I am going to keep them in my little noggin. :-)

    As for the Don’t Trust, Test rule? A Honeypot is always nice extrapolate information from and be on top of all intruders.

  • A
    small cloud will always be manageable because throughput is not an
    issue, but when you start designing solutions for larger sectors and
    groups of customers, speed and load are paramount, so streamlined coding
    and tools should be constantly fine tuned. I have some tricks, but I am
    going to keep them in my little noggin. :-)

    As for the Don’t Trust, Test rule? A Honeypot is always nice extrapolate information from and be on top of all intruders.

  • My favorite:

    11. You’re Never Done