Make no mistake, Information Security is BIG business. Global spending in 2012 rose to around $60 billion with estimates rising to $86 billion by 2016. 1 While security spending certainly can strain any budget, even at large corporations, how are small and mid-sized companies supposed to cope with such escalating costs? What are some of the drivers to the escalating costs?
• We are accumulating increasingly larger amounts of data stored in some type of electronic format. While paper based data still exists, more and more, we are choosing to store our important data in electronic format. We store our family photos digitally, receive our bank statements and other invoices electronically via email, and do our banking online. Current global storage capacity is now measured in exabytes with each exabyte being equal to a billion gigabytes.
• Organized crime has discovered huge profits in cyber espionage and identity theft. Identity theft is easy and if I have your name, date of birth, and social security number, then I am you for all practical purposes. How many of us have our name and birthday on social media sites such as Facebook? A cybercriminal can easily have two of the three and only needs to find the missing piece.
• Government regulation has contributed extensively to increases in security spending. Healthcare and financial services, although already highly regulated industries, are not the only businesses subject to a myriad of State and Federal laws. Essentially any business which keeps a customer database is required to take steps to safeguard personally identifiable information (PII) which it keeps on it’s customers.
There are other drivers, although the aforementioned are primary contributors. So what is the entrepreneur, or small business person to do? There are certainly a long line of companies in the security space more than willing to sell yet another solution.
Protecting the data (actually an information asset), should be the primary focus. In years past, efforts were focused on protecting the perimeter, however, in today’s world the perimeter is really where the data exists. Complexity, connectivity, and the cloud are all relevant threats to the data. The “Internet of Things” will only grow larger and more complex.
Even in the smallest of businesses, complexity can be a significant threat. Unless we can identify precisely what is in our environment, where the data resides, where it is processed, and where it transits, we cannot protect it. The shift to cloud based services, and mobile connectivity also compound the threats.
Take for example a real life scenario I observed in a dental office recently. Dentists, doctors, and many other healthcare providers have digitized their practices. This means that X-rays, patient records, digital photos, and other information are stored electronically. In the dental office I visited, all of the workstations in the office had access to the Internet. This included the office manager, front desk, and computers in each of the treatment rooms. While the office had a policy prohibiting the use of the computers for personal use, (I asked), all staff were found to be checking email, shopping, and logging on to Facebook. All it takes is on piece of malware to be introduced by an employee clicking on a link in an email, or some other benign action, and the entire set of patient records could be compromised and disclosed.
Information security does not have to be complex or technical. In fact, it is not a technical discussion at all. Rather, it is a business discussion which boils down to risk management common sense. Technology is just one of the tools involved in a layered defense.
Take for example your home or office, and wind the clock back to the years before we had PC’s and mobile devices. How would you have protected your assets back then? The first step would have been to determine what those assets were.
If we were running a small business with a single office, we may have had petty cash on hand for minor expenses. We also would have a checkbook, as well as a general ledger for keeping our accounting records. Of course, if we had employees, we would have payroll records and personnel files with information on our employees. Depending on our line of business, we may have had secret recipes, processes, copyrights, and other intellectual property. We certainly would have had a customer list. How would we have protected all of this back in the days before our always connected world?
Once we have identified our assets, we need to decide how to protect them. We might first protect the perimeter of our office by making sure windows and doors are locked. Depending on our location, we may even have a security guard or a security fence around our premises. What about the inside of our office? We may have a lockbox to keep our petty cash secure. Or, we might have an office safe where we keep our cash and checkbook. Customer records might be locked in a lockable file cabinet along with other sensitive and confidential files.
Locking up all of our valuables might not be enough. What if someone broke into our office? How would we detect the intrusion and how quickly and effectively could we respond? Perhaps we might have installed a burglar alarm, or hired a night watchman to go by the premises during the night. Maybe we had a more sophisticated alarm with motion detectors in each room so that we could detect which area the intruder was in. Perhaps the alarm was connected to a phone line and triggered an alarm at a monitoring company who in turn called us and called the police or fire department.
What about some of our internal controls and policies? Do we know who has the combination to the office safe? How often do we change the combination or locks to the file cabinets? Who is authorized to write a check? Do we have our accounts audited to ensure that our bookkeeper is not falsifying the books? What are some of the other relevant threats to our assets? Theft? Fire? Flood? Dishonest employees?
Information Security is really no different from the steps we took years ago before the digital age. Before we can decide how to protect our assets, we must first identify our assets, where they exist, and how they are used. We then can decide the relevant threats to those assets and from there, we can select and put in place mitigation solutions which enhance our ability to detect and respond to those risks.
Information security does not need to be complex for the small business. In fact, the more it becomes aligned with the core requirements of any business or organization, the more effective the efforts become. Information security spending should not even be viewed as an expense; it is an investment and like all investments, should show demonstrable ROI and contributions to the bottom line in the form of reduced risk, and operational efficiencies.
It starts with knowing what we need to protect and why. Without answering these prerequisite questions, there is an entire industry out there more than willing to sell “solutions” to every conceivable risk, regardless of how relevant the risk is to your business.
Do you know what you are trying to protect?
1. Global security spending to hit $86B in 2016. (2012, September 14). Retrieved from http://www.infosecurity-magazine.com/view/28219/global-security-spending-to-hit-86b-in-2016/