Skip Ribbon Commands
Skip to main content

Security Strategies for the Mid-Market

27/10/2011


​​​​Whether it’s careless mistakes, fraud, or viruses, worms, hackers, phishers and social engineers, organizations are threatened from all sides.

We live in a world of increasingly complex markets, regulations and interconnected IT-enabled communications where high quality, timely information is the lifeblood of an organization. Without it, we cannot make good business and managerial decisions. From regulatory compliance (SOX, PCI-DSS, HIPAA, privacy) to emerging technologies (cloud computing, social networking, BYOD) to an increasingly sophisticated crime ecosystem (cyber criminals, organized crime, internal fraud) – information security is a difficult issue to ignore… it does not, however, need to be complicated to address. When security risks, controls and corporate objectives are aligned, protection of information assets can drive real value to your organization.

Prioritize your efforts

Plan your security strategy and align it to your business objectives and risk management requirements. While security can be costly, there is no doubt that insecurity can be even more so. Damage can be in the form of direct financial impact such as lost productivity, lost revenues and litigation, or something more difficult to quantify such as brand and reputation in the marketplace. Manage your risk/cost exposure by ensuring that your security controls are appropriately aligned to your security risk appetite.

1. Risk Assessment

Threats have significantly evolved over the years – so should your strategy to manage them!

Know what you want to protect.

  • What are the most valuable data and applications to your organization?
  • Where does it reside?
  • What will be the impact of data loss or system downtime caused by an attack?

When gathering data ensure participation from senior stakeholders who understand the value and know what data and applications require protection.

  • Determine at a high level, the potential threats/vulnerabilities that may be exploited.
  • Identify the controls.

Prioritize and rank the risks.

Socialize the initiative, build awareness and ensure everyone understands the importance of information security.

2. Vulnerability Assessment

Perform a vulnerability assessment to determine where you are susceptible to security breaches. This involves identifying which operating systems, services, and other software are running and whether each system has the latest security updates.

Consider tools that automate the process of scanning systems for operating system and security updates and identifying remediation activities.

3. Prioritizing your efforts

Organizations in the mid-market have the same security objectives and requirements as larger, more complex counterparts; the difference is that they typically have fewer resources at their disposal.

Map the results of the vulnerability assessment against your risk assessment to identify systems that process high-value data and applications that are also at high risk of a security breach. Focus your efforts and address any weaknesses in these systems first, leaving the low value, low-risk systems for last.

4. “Defense in Depth” and Layered Security

Choices, choices, choices. Analyze the risks and determine the most cost-effective way to address the risks. A robust defense in depth and layered security strategy will ensure that if one control is compromised, there are compensating controls to protect your valuable information.

A “defense in depth” strategy takes a holistic approach to security and addresses policy and operations planning, user training, physical access security measures, and technical security measures to protect your information. Similarly, a layered approach to security combines multiple mitigating security controls to protect your information and systems. Establish a cost-effective information security foundation for your organization from network, to desktop to data security. For example, controls at the perimeter will thwart threats from penetrating your network; additional controls within the network will protect you from attackers that breach your perimeter, and more specifically, the insider threat.

Consider minimum control standards:

Develop information security policies and formalize key processes.

  • Document tailored security policies to address your security strategy.
  • Formalize essential security processes such as user access management, privileged access, password standards, physical security and patch management. As your network changes, so does your security exposure. Periodic vulnerability scans will help identify systems that may have fallen out of compliance. Consider hiring an independent consultant for the task, as such a consultant is likely to find more holes than you will on your own.
  • Enforce compliance.

Leverage technology.

  • Use anti-malware, anti-virus, and anti-spam solutions.
  • Protect your network with perimeter and host based firewalls.
  • Secure wireless networks and use VPNs for secure remote access.
  • Encrypt critical data, especially on mobile devices.

Educate your users and implement security awareness initiatives.

  • Do not underestimate the power of an effective security awareness program. While technical security controls are an essential component to information security, there are diminishing returns.
  • People are the weakest link. Security policies, no matter how carefully written, are ineffective if employees do not understand their obligations and actively comply. Educate your users on what kinds of documents are considered sensitive and how to treat them, clearly outlining what activities are allowed and what are not.
  • Integrate security training as part of new employee orientation. Ongoing reminders about security best practices and a security training schedule should be established.
  • Security training should specifically address social engineering attacks, including examples of common attacks so that users can recognize them. Even the most stringent security often cannot withstand an effective social engineering attack, such as when an attacker dupes an authorized employee into divulging sensitive information or their password. Often these attackers pose as IT personnel performing upgrades or troubleshooting a problem.

5. Security audit and ongoing monitoring

Ongoing security is a process rather than an event. Technologies and processes change; staff turnover. After completing your initial security baseline, leverage your efforts and implement an ongoing process of continuous improvement and validate your security posture.

Final Words

By defining a security program that focuses on what you want to protect, prioritizes your efforts based on impact and exposure, and implementing some basic processes, technology and most important of all, a security awareness program, you can implement cost-effective controls to protect your information assets and drive value to your organization.

For more articles like this one , please subscribe to Take Stock, MNP's eBulletin for Public Companies >>

This article has been prepared for informational purposes only and is not intended for any other purpose. We do not assume any responsibility or liability for losses occasioned by you in reliance on this information. We would be pleased to discuss with you the issues raised within the context of your particular circumstances. Please contact Trac Bo, CA, CISA, CGEIT, Technology Risk Leade or your local MNP Public Companies advisor.