At the outset of building a small yet successful business, entrepreneurs focus on what they naturally do best in order to maximise the business potential. Some of the desired traits are identified below, although not an exhaustive list:
- Delivering unwavering optimism
- Being passionate
- Being professional
- Being a leader
- Providing flexibility
- Being an inspiration to others
- Being an effective communicator
- Being a ‘Jack of all trades’ – wearing many hats!
- Finding new customers
- Maintaining customer relations
- Time management
- Account management
- Financial management
- Hiring new staff
- Managing staff
I’m sure that these aforementioned examples could be easily expanded to include other key skills or requirements. However, at the outset of a new business start-up, few businesses ever consider the implications associated with ensuring that company or customer sensitive data is afforded adequate protection.
Such data, in reality, is the ‘life-blood’ of most modern day business operations, flowing through just about every part of an organisation. Whether that be invoicing, customer details, bank account details, company intellectual property, customer orders, employee personal files, company emails, customer payment card details, company credit card details, etc. Each type of data has its own specific importance to the business.
Imagine trying to build a house, or block of flats, without having considered drawing up plans before hand and project managing the progress.
Anyone with a modicum of skill can obtain some sand, cement, water and a pile of bricks and have a go at building something that resembles a wall. However, without proper planning and project management this could lead to some serious implications and additional costs further down the line – pull it down and start again or apply expensive under-pinning to sure up the structure.
This is much the same for the Information Security (InfoSec) world within small business environments. As businesses grow, their reliance on ‘‘Big Data’ increases. Such growth and reliance bring with it their own increasing dangers and potential exposure, from both external (kinetic) and internal (non-kinetic) threat vectors.
The essential ‘life-blood’ of business flows through and interacts with various entities:
- Across internal networks,
- Across the ‘big, bad’ outside world (internet, email, fax, smart phones, wireless, Internet of Things, social media, etc.)
- Received of hardcopy material (letters, fax, invoices, etc.),
- Electronically (local storage, mobile devices, databases, spreadsheets<, electronic files, external email, internal email, fax, servers, etc.).
Both of these perspectives, unless effectively managed, are riddled with weaknesses, for example:
- Technology is designed to be readily usable when it is taken straight ‘out of the box’. This usability factor makes it inherently susceptible to exploitation from both the kinetic and non-kinetic aspects.
- Advancements in technologies increases functionality and capacity but without controlled integration, this can present adverse impacts and negate the potential benefits that the new technologies may bring.
For example, have you noticed how easily the younger generation may accept, and embrace new technologies; versus some of the more mature members of society who may struggle with such technologies?
- The Anterior Cingulate Cortex and the Ventral Stratium areas of the human brain naturally finds comfort through the receipt of instruction, see figure 1. As a result, without formal policies, processes (instructions) or effective knowledge transfer on what is, and what is not, acceptable the risks of an employee carrying out an action (either deliberate or accidental) is significantly increased.
For example, are your employees aware of the potential dangers of clicking on a link in a nefarious email, which opens up the internal network to exploitation (phishing attack), or the need for good ‘housekeeping’ to avoid unnecessary duplication of sensitive data, or the potential impact of an incorrect transmission, or the importance of carrying out regular secure back-ups of sensitive data assets?
All of the aforementioned problems and causes are ingrained in just about every business today, and effective InfoSec is crucial in ’playing its part’ to aiding the safe and secure development of a rapidly expanding business or organisation.
How do we reduce such risks?
As happens in the construction industry:
- Align your processes against relevant industry accepted regulations (ISO/IEC 27000 series, NIST Cyber Security Framework, NIST SP 800-53, COBIT, PCI DSS, etc.)
- Improve your InfoSec awareness or hire a seasoned professional to assist
- Appoint or hire a suitably experienced Information Security specialist.
- Apply a suitable project management based methodology (Prepare & Plan, Identify & Isolate, Evaluate, Fix, Assess & Maintain)
- Create a team of ‘champions’ to work together, as the business’s ‘eyes & ears’.
- 5 P’s (Prior Planning Prevents Poor Performance) are applied
- Enables the application of the KISS (Keep It Simple Solution) approach to data safety – if you can avoid doing some needless activity (without impacting business operations), then these options are identified and considered
- Readily identifies resources required (Vulnerability Scanning, Anti-Malware, Log Management, Penetration Testing, Training, etc.)
- Provides clear and defined SMART (Specific, Measurable, Actionable, Realistic & Timebound) objectives
- Data assets requiring protection are identified
- Scope is identified
- Potential additional resources are easily identified
- Reduces impact on existing business operations
- Improves efficiency
- Reduces unexpected, or unnecessary expenses
- Most importantly – it provides business with visibility and clarity on the InfoSec ‘State of the Nation’ and any progress being made. Thus reducing the potential for InfoSec becoming:
“The part of the business that is very expensive, is perceived as delivering little (if any) business benefits and is only visible when something goes wrong – at which point it costs the business more expense!”
To contact Nettitude's editor, please email firstname.lastname@example.org.