IT
security breaches are a major threat to
business, yet too few companies take precautions
to prevent them from happening, considering
security to be an unnecessary cost. Anyone
wired to the Internet is vulnerable to
attack involving Web site defacement,
e-mail viruses, Trojan horses, worms and
hackers. According to the DTI's Information
Security Breaches Survey (2004), the average
cost of a serious security breach is $100,000,
rising to $490,000 in larger organizations.
What Do I Need?
A firewall
is the most basic kind of security.
Many manufacturers provide simple plug-and-play
tools for small businesses - these can
be added to your system cheaply and
easily. However, businesses might want
to provide remote access to employees
or protect their network from threats
which require additional time and resources
to maintain their security level. This
can prove to be expensive and time consuming
for small and large businesses.
Increasingly
popular amongst businesses is a managed
security solutions. Here, a company
provides a complete package, covered
by a service-level agreement (SLA).
This SLA sets out the responsibilities
of the managed security provider: giving
advice and assistance and guaranteeing
levels of reliability.
The typical
benefits are:
- Security
is managed by a specialist provider,
leaving your IT team to concentrate
on other priorities
- Firewalls
and other security devices are monitored
around the clock
- Security
updates are performed in a timely
manner
- Any
unusual activity or attempted site
intrusion is quickly identified
- You
and your IT staff can sleep at night,
knowing that your system is secure
A firewall
is simply one layer, like the fence
around a property. Managing, patrolling
and repairing the fence to protect against
ever-evolving enemies is better achieved
by a supported or managed service.
Seven Steps to Security
When
defining a security policy, you need
to know what you will be protecting.
If you think of your business systems,
applications and data as assets, you
must understand which elements are most
important to you and the effect on your
business if they become temporarily
available or destroyed.
1. Assess
your business assets
You need to know what your assets are,
in order to establish what you will
be protecting. It is also important
to think beyond the physical. These
could, therefore, be employees, business
systems, data, equipment, licenses etc.
2.
Identify the risks
You need to identify where risks exist
and the types of risk against which
you are protecting assets. This will
enable you to evaluate investment against
risk.
3. Policy
design
You should now be in a position to design
a policy that protects the identified
assets and mitigates the identified
risks. Policy should also extend to
internal development. If you are developing
internal systems, security should be
an integral part of a design, not an
afterthought.
4. Educate
users
Educate your staff about the risks and
the security processes in place. Your
policy must have all employees' buy-in.
5. Technical
implementation
This stage involves the implementation
of technical solutions identified in
the design stage. This would normally
consist of a firewall appliance and
intrusion detection, spyware prevention,
content filtering as well as email protection,
such as anti-virus and spam scanning.
6. Monitoring
and reporting
Any breaches or attempts to breach your
security should be monitored to ensure
the effectiveness of the systems. Consider
how you would report on these things
and how you would feed this information
back into your security policy to ensure
continual development.
7. Management
Allocate responsibilities: in a disaster
recovery scenario, everyone should know
who is responsible for what. Implement
a 'change-control process': a step-by-step
process to ensure that changes are implemented
correctly and securely Get management
buy-in: there should be awareness within
any management structure about the high
importance and priority of security.
|
