When it comes to IT security, the old axiom “an ounce of prevention is worth a pound of cure” could not ring more true. The IT industry is still reeling from the rash of security attacks that occurred over the past six months. The loss in revenues as a result of downtime has forced many Canadian
organizations to take a hard look at the security measures they should have in place in order to ensure they have a safe computing environment.
One of the few industries to rival the growth of computing technology is the group that uses that technology with malicious or criminal intent. Criminal justice experts say cyber crime is growing faster than conventional crime. A central priority for many businesses is maximizing the security capabilities of all their software across all lines of business. This priority goes above and beyond effective updates.
Customers have told us that they want security tools, features, and settings to be easier to implement and easier to use, and that they want security to be intrinsic to the software. Partners are continually working to simplify security and drive the intelligence of security protections deeper into our customers’ software to reduce the demands on users and IT administrators.
Bringing in a third-party company to review the security of your network ensures that nothing has been overlooked. Such a company would not be there to replace your IT staff, so it can objectively review and heighten your current security state. This is no different than hiring a third-party accounting firm to audit financial staff.
Security needs to be a key element that companies consider upfront to protect their IT investment. The most important part of deployment is planning. Security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality.
Many organizations ask, “Where do we start?“
There are five questions you can ask your IT team in order to get a very high level understanding or at least to start thinking about security.
- Protect. Does your IT infrastructure protect your information?
- Detect. When unauthorized access is attempted, does your IT infrastructure report it?
- Defend. What do you do once unauthorized activity is detected?
- Recover. What do you do if your security fails and you need to perform forensics or restore servers and information? How can you track the range of the security breach?
- Manage. Management is the key to security. It is not about the products but about the processes and people that manage and deploy the technology. How do you manage your protect, detect, defend and recover processes?
Risk assessment is a very important part of computer security planning. No plan of action can be put into place before a risk assessment has been performed. The risk assessment provides a baseline for implementing security plans to protect assets against various threats.
Risk management provides organizations with a consistent, clear path to organize and prioritize limited resources to manage risk to the business. The benefits are realized by developing a cost-effective control environment that drives down risk to an acceptable level.
Investing in a risk management process–with a solid framework and defined roles and responsibilities–prepares an organization to articulate priorities, plan to mitigate threats, and address the next risk or vulnerability to the business. To better manage security risks a traditional risk management approach consists of a four-phase process:
- Assess risk. Execute a risk assessment methodology to evaluate risk.
- Define policy. Develop security policy to mitigate risk.
- Implement controls. Organize people, processes, and technology designed to mitigate risk, as justified by a cost/benefit analysis.
- Audit and measure. Monitor, audit, measure, and control environments for effectiveness.
Technology partners work with their customers to ensure they take the necessary security steps by developing security policies and procedures to reduce the risk of a security attack before it happens. Partners provide customers with expertise beyond patch management and firewalls to ensure there is no downtime or lost revenue during virus or worm attacks. A third party can assist in your security design specifications and which security issues you should address.
It’s very common for people to ignore computer security, usually because they think it will take too much time or be too difficult. The fact is, securing your computer now and keeping your system up to date will save you enormous amounts of time, money and stress by preventing problems in the first place.
The vast majority of computer users don’t have the time or inclination to learn the deep inner workings of their chosen operating system. Keeping up with the latest security problems is a full time job and is complicated by the fact that most security advisories are very technical–a daunting prospect for someone who just needs to get some work done.
Virtually every organization that uses computers has information it wants to protect. Public companies, financial institutions, and healthcare organizations are under particular regulatory pressure to harden their systems against attack. These days security is a vital part of operations, not a luxury. Computer security is not something that anyone can accomplish alone. It depends on minimizing risk and being as secure as possible from the very bottom to the very top.