How do you know what you need

Security can be very overwhelming.  It’s a boom industry and there are hundreds of products and businesses that span the physical and information security fields.  There is a lot to consider.  So how do you know what you need?  How can you be sure that what you do select will be good enough or the perfect solution.  To answer that quickly – you can’t.  You have to assume you are a target and you have to assume that information you have is important to somebody, somewhere.  That’s a big leap but it has to be the starting point.  To take a step further, assume you have been breached.

Now you can really begin the real work of finding the solution that fits for you.

  1. What is your current security posture?  Do you have security policies?  Are you already employing anti-virus software?  Can you build upon that?  What other options are out there?
  2. What information do you have that other people would want?  Think about your proprietary information – what is it?  Who are your clients?  What do your contract proposals entail that may distinguish you from your competition?  You may be in a real niche market that makes custom-made widgets that only two other companies in the world make.  This would make the emphasis on contract data and clients as critical information that needs an added layer of protection.
  3. What is the real and perceived threat to your business?  Take about 20-30 minutes and map out who your competitors are in the local area.  Expand out accordingly.  How well-known are you?  What is your social media presence like?  And what are your competitors capable of?  It’s hard to think down this road especially if you are singularly focused on your business, but in order to protect, you have to know what you should protect against?
  4. What programs do you need to scan for a breach?  This may depend on how big your network is and how connected you to other platforms.  If you determine you have a lot of critical information that needs to be protected then it’s best to identify the bad news up front.  Find a program that meets your budget but also will do the job.  You don’t want to look for ways to cut corners when it comes to identifying issues.  Another factor to consider here is
  5. Once the scan is complete, what can you do to maintain an alert posture?  The level will depend on the next couple of steps – what do you have that others want, and what is your competition like and what is it capable of?  Answers to these questions will help you find the right solution.
  6. Think physical security.  Everything so far has been really focused on defending against the cyber or information security threat.  But what the threat from social engineers?  Do you know what one is?  Do you know how they can penetrate your organization and pose threats to the information security protection posture you just spent a lot of money investing in.
  7. What is your policy?  If you don’t have one – start one.
  8. How are you training?  Security is not just implementing a technical solution and walking away.  An overwhelming number of security breaches happen as a result of human error.  Adopt a security education and awareness training program.  Train on your security policies.  Bring in outside experts – local law enforcement or security professionals.  Train on incident response.  An alert and aware employee will make the investment in what you need go a lot further.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s