What Management Should Know about IT security

Threat actors are motivated by many things and attack in a myriad of ways.  Some are purely motivated by financial gain, (Crypto viruses, Spear Phishing) others are seeking revenge or are motivated by an ideology.  Attack vectors are literally everywhere and are expanded every time someone connects to your network.  From infected USB drives to disgruntled employees and everything in between.  Once the bad guys are in most self managed small business networks are incapable of any defense.  On average the time between compromise and detection is over 5 months for small businesses.  In this time I can guarantee you that all of your confidential data has been stolen and your online banking credentials are most likely copied as well.  State reporting requirements alone for this type of loss can often cost into the tens of thousands of dollars and most business insurance policies do not specifically cover this type of loss.

Written policies when combined with training and testing have been shown to reduce the probability of an attack.  When combined with hardware and software that compliments the policy the beginning of a layered defense start to take shape.  Employees become empowered with the understanding they are responsible for security.  This makes them more diligent in their duties and more mindful of types of attacks.  When this mindset is fully established it is much more difficult to attack the weak points.  (humans)

No matter the motivation just having Anti-Virus is not enough.  A truly layered and integrated Threat Management System combines Policy, Employee training, Firewalls, Log analysis, Active Threat monitoring, Automated Response and Alerting.  Implementing a system like this is not a job for amateurs or the faint of heart.  Don’t let the bad guys get you or your data fight back and win.  ACT don’t react and partner with the company that “Does I.T. Right”.

Key Takeaways:

1. Every organization should create security standards agreed upon by management and communicated to all employees
2. Employees should be trained and tested on these policies at least yearly
3. Security policy should be a contributing factor when hardware and software are upgraded
4. A layered security model is the best approach