I recently asked the following question on the IBM for Midsize Businesses group on Linkedin as a basis for discussion and a means to crowdsource some tips and best practices for IT security:
Security attacks often arrive unannounced, but a well established security plan and implementation can help mitigate these often costly situations. This discussion, however, aims to offer midsize business leaders guidance on how to protect their business, and their data.
The goal of this discussion is to crowdsource 10 steps midsize companies can take to protect their business – taking into account on-site AND their cloud computing environments. Securing the cloud can be a data center challenge, sometimes a software issue, and sometimes a data or device access issue. Your security tips will help create a list from the online community for the online community.
Thank you to all who participated in the discussion (full list below) which provided fairly detailed and specific recommendations for midsize business leaders to consider as they work to secure their enterprises.
As promised, here are the Ten Steps Midsize Companies Can Take to Protect Their Business:
1- Culture of security
We can start off with considering that security is as much a culture as a destination. For the most part, the only secure system is one that isn’t plugged in. And even then you can hack the hard drives, I suppose. The challenge is to strike the right balance between security, convenience and cost. It’s about education and human behavior as much as it’s about technology. And consider that most security breaches come from within. Many of our contributors maintained the sentiment that you should worry more about internal threats and stupidity than anything external.
Quite simply, not all systems within a business are created equal. Not everything has to be protected the same way. Budgets are limited for mid-size businesses, so take time to assess the value. Planning and risk assessment are an important aspect of the security equation. What are you trying to protect (sensitive data, at rest or in motion) and what critical business applications can you not do without for a period of time?
3. Zero to Secure
A common mistake is to try to go from zero to secure too quickly. Take the first steps first. Proceed with caution as each new security measure introduced into your enterprise must be weighed and integrated carefully and methodically.
4- To Cloud or Not to Cloud
Technology is not one-size fits all and clouds are not a panacea. With variations that include hybrid, public, private, clouds add complexity to an enterprise. Understand that not everything has to be in the cloud. Moving to cloud grants access to more sophisticated security (physical and digital), but your security scheme is only as strong as it’s weakest link.
If considering moving data and applications into the cloud, a risk assessment will allow you to understand where to focus your security controls and decide what is suitable for the cloud.
5- Keep The Keys To The Castle
Vet your cloud. Not all clouds are created equal. Make sure your cloud service provider’s policies and controls align with your requirements (as well as your budget). And remember that no matter how good your service provider may be, the final responsibility — and accountability — for your enterprise is still yours. Maintain your own documentation, security controls and, where possible, do not give the encryption key to your cloud provider.
This one deserves it’s own mention, both because it was mentioned so often and that it represents, in many respects, the first line of defense. Policies covering password complexity, identity management, two factor authentication, and even how often passwords need to be changed play a strong role in overall enterprise security.
7. Monitoring, Monitoring, Monitoring
No security system is proof against all threats. The sooner you know about a problem the more quickly you can act to limit damage. ’nuff said.
Wait, that’s data protection, not security, right? Wrong. Sometimes “break-in” scenarios may be targeting destruction rather than theft of data. Data recovery needs to be part of the security plan.
9. Endpoint Security
Anywhere your enterprise touches the outside world represents a threat. Whether it’s viruses, malware, malicious interlopers or simply script kiddies, be sure you cover the basics of endpoint protection. And don’t forget the perils of BYOD.
10. Don’t Just Trust It, Test It
Whether as in internal process or executed by third party, intrusion detection and penetration testing should be a staple in your security regimen. This should include both internal and cloud services. Many cloud service providers will supply reports of recent tests upon request. No security system is proof against all hackers. However, you should at least be sure what you’ve got stands up to professional scrutiny.
11. You’re Never Done
Security is a journey, not a destination.
Ok. My list goes to 11. Thank you Nigel Tufnel.
Thanks to all those who participated in this conversation. There were some really great comments and I couldn’t do justice to them all in a single summary post. Please be sure to read through the full discussion. Here they are (in order of participation): Geoffrey Colon, Howard M. Cohen, Amrita Chandra, Kelly Craft, Alan M Buckwalter, Darren Argyle, Marcio Saito, Phil Neray, Ryan Berg, Phil Simon, Robert Whetsell, John Jacob, Derek Brink, Aarti Comstock, Fred McClimans, Mark Underwood, Phil Hassey, Kenneth Hess, Akram Mohammad, Petar Lafchiev, Antonio David López Fuentes, Paul Williams, Leslie Reiser, Sanjeev Aggarwal, Stefan Ried, Wayne Spivak, Charlie Dankner, Philip Kibler, Vimalkumar A.V, Folkert Visser
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.