Slouching? Measure Your Security Posture
BY Lora Shinn
There is an optimal "security posture" for a business -- the approach your business takes to security, from planning to implementation, from hardware to network security and more. Is your business slacking off on security?
Security posture isn't just posturing. In fact, this bearing may be the most important aspect of your business' approach to security.
What is security posture? It's your overall security plan, which protects from internal and external threats, says Jon Clay of Trend Micro, a content security service provider in Cupertino, Calif.
Evidence of security posture can be found in the way you deal with customer receipts, control employee social security numbers, or how often you update the anti-virus software. In other words, security posture is comprised of technical and non-technical policies, procedures and controls.
Security posture is what results from 'the strategy you take toward managing your risks," says Mike Murray, director of Neohapsis Labs, a security-focused consulting firm in Chicago, Ill. And ignorance can cost. A stolen credit card number -- whether resulting from a dumpster-diver's dig through your garbage can or a hacker's mischief -- can result in a large fine from the issuing company.
A three-step approach to security
It's a balancing act for small businesses. "They have to determine how much risk they are willing to accept," Clay says, "to determine what level of security they implement." Analyze compliance requirements and business partners' mandates. "This will allow them to build out a security posture that minimizes risk while still allowing them to run their business efficiently and profitably," Clay says.
Murray suggests a three-step approach to security posture assessment and resolution:
Determine all the data your competitors, thieves, and other no-gooders want to steal from the business, or from partner businesses. These could include credit card numbers, social security numbers, corporate assets, or even your business strategies for the next six months.
Figure out how thieves might acquire the data. Murray says that this step may require a consultant or an in-house expert in risk management. A high-quality assessment will provide details on slack approaches to data, whether in the IT or physical world. "We aptly call it information security," Murray says, not just technology security.
Install controls to prevent theft, at a "palatable" cost, Murray says. Your response may depend upon variables such as your business' financial situation and the actual likelihood of compromised data.
Few businesses are too small
Trent Dyrsmid, CEO of IT service provider Dyrand Systems, Inc., based in Vancouver, B.C., says he often hears businesses claim, "My company's too small. No one will hack us. We don't have anything." However, "anybody is fair game," says Dyrsmid, and he points out that many threats can come from within, "like disgruntled employees marching out the door with company data on USB stick or CD."
Small businesses aren't immune to simple errors or carelessness, either. "Employees need to know how they should handle sensitive data, as they may not know they could be compromising security," Clay says. Proactive policy can prevent customer addresses from falling into the wrong hands.
Assessing security posture is one milestone on a company's path to maturity and healthy growth. Executing change is the nets, and then repeating the assessment six months later will be the next step. So straighten up and look around -- your business' posture may be telling you something.