As we know from the countless surveys that flood the industry, the good news is that an increasing number of companies are adopting a professional approach to information security; the bad news is that there are still many, many organisations that have yet to put their house in order.
From my experience, many of these are small to mid-size businesses that believe they lack the management bandwidth to deal with IT security right now (sure – technology is only mission critical when it stops working) or think it will prove hugely costly to tackle. So, instead of safeguarding their livelihoods, these businesses procrastinate and, as with anything we put off, the challenge becomes perceived as bigger than it is.
Knowledge is the weapon to kill inertia and the place to start is the 14 Infosec Basics. These apply to organisations of any size and ownership, although larger organisations will want to go beyond these in layering on additional measures. However, for SMEs and SMBs this is what you need to know – basic, but nonetheless vital:
1. Have a policy: make it real, practical and true to your business strategy.
2. Insist on accountability and responsibility: a basic rule of good management.
3. Identify asset ownership and classification: a comprehensive study of what needs protecting.
4. Address information security in all contracts, including employment and third party: let people know where they stand and ensure they can’t shirk responsibility for their actions.
5. Provide for the physical security of information systems: it seems so obvious until items go missing or get damaged.
6. Have up-to-date anti-malware software: naturally.
7. Implement and enforce user access controls: as I’ve blogged elsewhere, keep the tightest rein on this or risk the consequences.
8. Implement and enforce system access controls: you wouldn’t give a 10 year-old the keys to your car, so why would you put your IT system in the hands of someone unqualified?
9. Manage vulnerabilities: look for the chinks in your armour and patch them.
10. Have an incident response process: quick and clear communication stops dramas from becoming crises.
11. Have basic continuity and disaster recovery plans: how will you keep your customers happy if the roof falls in?
12. Monitor compliance: policies are great, provided that they are being followed.
13. Document essential policies, processes and procedures: share the critical information that people need to know.
14. Ensure that users are trained and aware of their responsibilities: give people the skills and knowledge to act responsibly.
Many organisations will have a few in place, but that’s not enough. You need the full 14 to ensure that you are making a professional response to security threats. But when you think about the consequence of failing to act, it’s not so hard now, is it?