According to a 2012 survey of 1015 U.S. small business owners, many have a false sense of security when it comes to their IT infrastructure. More than three-fourths (77 percent) believe their company is safe from cyber threats like hackers, viruses, malware or breaches. The problem with this is that 83 percent of the respondents have no formal security policy. These findings are from a survey released in 2012 by the National Cyber Security Alliance (NCSA) and Symantec. (The full survey is available at: http://www.staysafeonline.org/stay-safe-online/resources/).
Based upon additional information collected by Towergate Insurance in 2015 (https://www.towergateinsurance.co.uk/liability-insurance/smes-and-cyber-attacks), 97 percent of SMEs didn’t think improvement to online security was a priority for future growth, 82 percent believe they are not targets for attacks, 32 percent believe they won’t suffer any loss, 31 percent don’t have an action plan for responding to breaches, 24 percent believe that cyber security is too expensive and 22 percent admit they don’t know where to start.
In his recent keynote address at Nolacon 2016 by Dave Kennedy (Founder of TrustedSec, LLC, Binary Defense, co-author of Metasploit and developer of the Social Engineering Toolkit) relayed some of his experience as a penetration tester. One of the points he makes in his talk is contrary to what most people think regarding how hackers exploit and access networks. Most IT security people are worried about deploying security controls to stop the latest APTs (Advanced Persistent Threats), malware and other cutting-edge exploits. In reality, Dave says “Most breaches are very simplistic in nature…You had horrible security practices for the past ten years and got owned because you haven’t patched Adobe Reader in like the last ten years! You were targets because you have horrible security practices.” (You can find Dave’s talk at: http://www.irongeek.com/i.php?page=videos/nolacon2016/105-keynote-david-kennedy).
Why are most enterprises missing the mark and wasting time chasing the wrong solutions? What can be done to get business security on the right track? What does this disconnect between beliefs and actual practices mean and why does it matter?
It all starts with the corporate security policy. Operating a business without a solid security policy is no different from operating without policies that define other business operations. A business without operational policies means decisions get made by individuals based upon their own feelings and past experience. Imagine the chaos that would ensue within any organization if there were no policies that dictated procedures and standards for services, products or brands. Any business that operated in that manner would fail in short order. Operating a business without a solid security policy is no different. In spite of the steps you may be taking to ensure security, without a security policy in place, these efforts will fall short and likely fail.
A security policy is defined by (ISC)2 is a “strategic tool used to dictate how sensitive information and resources are to managed and protected” (See Official (ISC)2 Guide to the CISSP CBK – Fourth Edition, p. 1248). A security policy in its broadest sense outlines the entire security posture for an organization and includes policies that cover personnel, information and technology assets. All policies are centered around the three basic components of security – confidentiality, integrity and availability. The misnomer many in the IT field believe is that IT security is distinct and separate from the rest of an organization’s security practice. It isn’t and handling IT security as a separate process has been part of the reason for the disconnect uncovered by the NCSA survey.
In practical terms, a security policy is a compilation of management expectations that define what assets will be secured and in general terms, to what level they will be secured. The practical implementation of a security policy is done through of the application of procedures, standards, guidelines and baselines. These execution steps are typically carried out by members of the IT staff. Once these implementation steps are complete, auditing should be carried out to make sure the goals of the security policy are met and recommendations are made to close any gaps that remain.
Security policies also serve to document the management team’s obligation to carry out “Due Diligence” in protecting sensitive assets. The application of the security policy through implementing procedures, standards, guidelines and baselines serves as a foundation for the “Due Care” that is often compulsory for an organization. In order to develop a sound security policy, an organization must take account of all assets (a broad term in this sense) that need securing, undertake a risk analysis of those assets to determine the potential for loss and cost of loss to the business. That data is then used to recommend the implementation of the correct, cost-effective controls needed to reduce risk to an acceptable level.
So how much security is enough security? Just enough. While there is no “silver bullet” for network security, a solid security policy accounts for all foreseeable risks. By implementing a security policy, one can be confident that risk has been reduced to a level acceptable to business management.
Without a proper security policy, every aspect of security practiced by an organization becomes suspect. Employees have no foundation for making decisions relating to security and there are no ways to measure the effectiveness of the controls that are put in place. There is no accountability for decision-making and no continuity with changes in management and IT staffing. There is no way to place value on existing controls and no basis for justifying expenditures to implement additional controls.
From a practical standpoint, solving these problems starts with committing to develop and maintain a corporate security policy. This takes cooperation between management and IT. Developing one takes times and effort. There are plenty of solid resources available to businesses of every size to help them develop a comprehensive security policy. Once you start to develop and refine your corporate security policy, security practices within your organization will become more comprehensive, your confidence in your security practices will increase, your customers will notice the difference and you will likely sleep better knowing you are on your way to having your organization’s security in check.