According to Steve Groom, director
of Security Solutions at Technology
Integration Group, “The challenge with securing networks and data today
is that the security threat landscape has
evolved from relatively harmless worms
and viruses into a multibillion dollar
organized crime trade for stealing data.”
With the rapid increase of these crime
rings and the malicious exploits that
develop daily, there is no silver bullet
for protecting data these days. Data
security really starts at the top of an
organization with executives and stake
holders being 100 percent committed to
developing a security program. A good
security program must consist of people, process and technology working
together while constantly being tested
and measured to ensure its effectiveness to the organization.
Smart Business spoke to Groom about
the ways in which business owners can
get a handle on securing their networks.
What are some concerns for CEOs today?
Unlike worms and viruses that cause
pain but relatively limited damage,
today’s exploits are stealthy and they
are designed to infiltrate your network
without you being alerted. If you take a
look at some of the recent security incidents, most of the times the attackers
have been working inside the network
for periods of time — six month to a
year — collecting credit card information and other intellectual property. No
one has been alerted that this has happened, and the biggest concern is that
there’s no perceived pain or warning
until it’s too late.
Where does data security begin?
Data security begins with a security
program that defines a data classification policy. Data classification is not a
new practice; it has been used by our
government and others for many years.
However, classifying data and ensuring
that it is stored in the appropriate storage container with the appropriate security and access control policies can be
difficult to implement and maintain. It is
a necessary process, and today you
must protect your data against not only
outside threats but internal threats as
well. Making sure that your employees
only have access to data that they need
to have is critical. Internal theft of data
that happens every day is obviously the
most difficult attack vector to mitigate.
Access control must be enforced and
monitored on a regular basis to be
effective.
How do business owners assess what protections they need?
What’s most important for executives
to understand is that in order for their
security program to get better it needs to
be measured on a regular basis. Good
metrics help executives make decisions
based on facts instead of pain. Security
posture is measured through security
assessments and ethical hacking activities that TIG and other companies can
provide. These assessments provide you
with a snapshot in time of what your security posture looks like today and
also shows what would happen if your
company were under a deliberate attack.
Assessments are critical to understanding what needs to be fixed and pinpointing where to spend valuable time, money
and resources.
What about security products?
There are many security countermeasures on the market today that will help
you protect your data. We have had
great success with many solutions that
have been developed specifically for
monitoring the data as it moves to and
from an organization. These technologies help prevent the unintentional or
possibly intentional data breach. Disk
encryption for laptops and mobile
devices is strongly recommended
because of how easy it is for them to be
lost or stolen. At the very least you must
patch all of your systems and third-party
software programs and constantly train
your people to be vigilant toward security. These two factors provide low-hanging fruit to an attacker and represent the
most common attack vectors.
Who within a company should be involved?
What we’ve seen to be very successful
is for organizations to pull together a
security board. This board consists of
key executives, business unit owners,
internal auditors and IT leaders. This
forum is used to discuss and evaluate
overall security posture, review metrics
and set new policies and procedures. It
is of upmost importance to design and
implement a security awareness program for all employees. Unfortunately,
you are only as good as your weakest
link, which in most cases involves
human error of some sort.
STEVE GROOM is the director of Security Solutions at Technology Integration Group. Reach him at (760) 497-7471 or
[email protected].
