What Should Be Secured?

Recently at an IT security conference in Chicago and the keynote speaker”s address reminded me that IT people and business owners often have different views on what are your company”s assets and what constitutes adequate security. Dave Stelzl, author of The House & the Cloud, simplified the security model for business by comparing a business”s security to a home. We “Protect” our home with doors, windows, locks, and fences. However, we all know that these security measures do little to stop a determined or skilled burglar. The next ingredient is the ability to “Detect” a security breach. In a home we put in alarm systems, motion detectors, subscribe to monitoring services and support neighborhood crime watch groups. Finally, the most important provision of the security model is the “Response.” We have a dog that will bite the thief, some people will have a gun ready for intruders, others rely on the police to respond and others purchase insurance to replace lost items and repair any damage.

Using the house as your business scenario you must ask three questions.

1. What are you trying to protect?
2. What nbso are the relevant threats you face?
3. How comfortable are you with your organizations ability to detect and to respond to a security situation?

Your IT Department may do a great job of “Protecting” the physical assets of your company and your network. However, threats today are more likely to target the real assets of your business, the identity information you have collected on your employees, customers, and clients, intellectual assets you may possess, or links to outside assets – bank accounts or credit card information. NBC recently ran a news series and showed that a single online casino personal identity with credit card information could be sold via the internet for $5. TJ Maxx, the retailer, reported a breach of over 40 million credit card accounts. Multiply that number by $5 and do the math. Identity theft is big business.
Who or what is at risk when your company is exposed to an identity theft? The business itself, its owners, and principals are all at risk. Even if the depth of the TJ Maxx exposure is not as great as reported, can your company survive the bad press generated, even if a retraction follows?

No one can guarantee 100% security. A firewall alone is no longer adequate protection. Unified Threat Management Devices (UTM) are now common and should be the basis for security protection. Written company policies regarding the internet, email, and the use of company information should be implemented and reinforced to every employee. Threats are not just external. Disgruntled employees and other internal attacks still account for a majority of the IT security incidents.

So when you take a close look at your company and its valuable assets ask the three questions above and see if you can live with your answers