The Association for Computer Security Day has held Computer Security Day since 1998.
The particular “day” is not as important as the fact that small business owners need to make a concentrated effort to ensure their businesses are secure every day.
On one hand security is something you should be personally responsible for by being vigilant of who you are communicating with and what you are telling them. On the other hand, implementing security policies and systems is something you should do with the assistant of a security professional.
On the occasion of Computer Security Day, Symantec offers three tips and insights to help you mitigate your security risks.
Create a Security Aware Culture
To be effective, SMBs should have an ongoing security awareness program in place that includes continuous training, communication, and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
If budget permits, design a comprehensive set of computer-based training, seminars and other live training experiences, as well as communication tools, can all be part of a security awareness training program.
To save time and be more efficient, SMBs can also find outside help from security experts in both the design and implementation of their training program.
For example, a recent IDC study showed that well-trained teams were twice as likely to properly protect their PCs from security threats and were 60 percent more likely to successfully complete backup jobs. With IT failure occurring more than 40 percent of the time from lack of IT staff skill and training, the need for proper instruction is evident.
While the cause of IT failures can include technology and environmental compatibility issues, the root cause of IT failure frequently lies in process and skills issues.
According to a recent study conducted by Symantec and researchers at the University of Maryland and MIT, 53 percent of IT failures were linked to process issues involving asset management, testing, change control and patching. In addition, more than 40 percent of IT failures analyzed were tied to gaps in end-user expertise and product knowledge.
Regular or routine activities should have established processes, which are known to all. Processes enable workers to treat all components the same, reducing effort and potential risk that would be entailed if each component is managed differently.
Even when processes are in place, SMBs struggle with getting employees to follow established procedures. Investments in proper education and training not only help SMBs significantly improve their knowledge and skill base, but also can prepare them to manage and mitigate IT risk.
Although there will never be a process for every situation, SMBs can eliminate the root cause of failures – and identify the cause of failures more easily – by establishing and following a standard set of protocols and equipping people with the knowledge to manage and adapt them properly.
Have a Remediation Strategy in Place
The absence of a solid security awareness and remediation strategy in the event of business disruptions is becoming an increasing priority as IT-related incidents are attracting an ever increasing share of the public’s attention.
The impact of failing to provide an effective remediation strategy can leave the infrastructure exposed and the SMB vulnerable to further exploitation, attack, and loss of proprietary information. Ultimately, all of these translate into lost productivity due to downtime, increased costs to repair technology or to replace lost or stolen hardware (i.e. laptops), financial and legal liabilities, lost business, and possibly a decline in customer confidence.
When designing a remediation program, SMBs should keep IT risk management in mind and follow several best practices as outlined below:
Improve incident reporting and handling
Properly classify and protect intellectual property
Design and implement secure applications and infrastructures
Demonstrate the importance of proper backup procedures
Increase attention to system performance in IT systems design
Follow internal IT safeguards and business policy requirements in an effort to help meet compliance standards such as FISMA, HIPAA, Sarbanes-Oxley, COBIT, and ISO 17799:2000