The most crucial security mistake that SMBs make is failing to perform information security assessments. This may seem like a basic concept; however, it's often overlooked. An assessment is crucial. Good policies and procedures can't be designed without information security assessments. The assessment is what allows you to work through the process of determining what is important to the organization. Assessments can be performed in one of two ways:
- Quantitative: This method places dollar values on the organization's critical systems and information.
- Qualitative: This method uses non-dollar values. Confidentiality, integrity and availability are one set of attributes that can be used.
A typical argument against performing information security assessments that I hear is, "What's the point? I don't have anything of value to hackers, outsiders or others." This is not true. Every organization has something of value; otherwise, it would cease to exist. Good security usually follows the following five steps:
The assessment is what allows you to work through the process of determining what is important to the organization.
Security is truly a multilayered process. Once an assessment is completed, policies will fall quickly in place, as it will be much easier for the organization to determine what's most important. Assessments should include policies on the following:
- Patch management.
- Employee hiring and termination practices.
- Backup practices and storage requirements.
- System setup and configuration.
Finally, you need to convince management and staff that information security assessments are really critical and that time and money must be allocated. Explain that being proactive can improve the bottom line. Of course, costs need to be considered, so explore all of your options. There are some excellent resources available. Here are a few:
- National Institute of Standards and Technology special publications
Customers are of little value if a company's infrastructure gets wiped from malicious activity. Customers certainly won't be happy if their credit card data gets stolen or destroyed. Spend the time up front to assess your network. Failure to perform information security assessments is the No. 1 security mistake that SMBs make.
Michael C. Gregg has been involved in IT and network security for more than 15 years. His current responsibilities include security consulting and training for corporate and government entities. He has served as the developer of high-level security classes and study guides, has taught classes for many Fortune 500 companies and has contributed to several books, including his most recent Que publication, CISSP Exam Cram 2.