10 Ways to Mitigate Your Security Risks
Getting the Word Out, Creatively
(Page 4 of 4)
9. Security Education on a Budget: Get Creative
At all companies, effective security requires paying attention to people, processes, and technology -- "but often the people aspect of security is ignored," warns Forrester Research analyst Khalid Kark.
To address that, maintain a security awareness program. A good starting point is a short training course for all new employees, to communicate the basics: The help desk will never ask for a password; beware free Wi-Fi hotspots since someone can "listen in" on all communications; using a hotel PC or airport kiosk typically leaves a copy of all data and attachments behind; and never open any suspicious-looking e-mail attachments.
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Managing Threats in the Digital Age
Ongoing education doesn't have to be expensive; consider approaching the subject of security in a humorous yet thorough manner. Here's an offbeat example (notable for a large company with famously deep pockets): To help developers produce cleaner, more secure code, rather than just talk the talk, some volunteers launched a serial comic called "Testing on the Toilet." The related Google Testing Blog explains: "We write flyers about everything from dependency injection to code coverage, and then regularly plaster the bathrooms all over Google with each episode, almost 500 stalls worldwide." The modus operandi is simple: "You need it to be in a place where when you see it, you can't ignore it." While responses have ranged from amused ("This is great because I'm always forgetting to bring my copy of Linux Nerd 2000 to the bathroom!") to unamused ("I'm trying to use the bathroom, can you folks please just leave me alone?"), the message gets out.
Teach users that today's top attacks typically aren't perpetrated by some pimply Siberian wunderkind shooting "game over" exploits onto beleaguered PC screens. Rather, that age-old favorite, the social engineering attack, still rules. Indeed, why break in, when you can just ask politely (if fraudulently) for what you need? One recent example is an IRS phishing attack, which starts with an e-mail saying the IRS is conducting a customer satisfaction survey. If recipients click on the link, the resulting Web page simply asks for their name and phone number, promising $80 for completing a later phone survey. Chances are, however, that if someone does call, the "IRS" needs a credit card number to deposit said funds, says Abrams. "That's when they get the useful information."
10. Encryption: Set It and Forget It
What's the best way to protect information on lost or stolen endpoints from being misused? Consider full-disk encryption software, which renders hard drive data illegible to anyone who doesn't have proper authorization. "Laptops go missing all the time, laptops get stolen, and the last thing you want is to not have the person who steals that laptop sell that customer information on the Internet," says the NCSA's Teixeira.
Consider that under states' data breach notification laws, if a company loses a machine containing residents' sensitive information, but the data is encrypted, then no notification is necessary. Given that the average cost of notification in a data breach, according to the Ponemon Institute, is $182 per lost customer record (not just per customer), the full-disk encryption alternative often makes financial sense.
If that argument is too abstract for whoever controls the purse strings, try mentioning high-profile data breaches, for example at TJX or CardSystems (itself a smaller business). The point: if a company loses customer information, expect at least some customers to defect. If a small or midsize business loses the information and covers it up or responds too slowly, however, once the public, legal, and regulatory fallout is over, then as CardSystems demonstrated, there may no longer be a business.
Mathew Schwartz has covered IT and business topics for more than 10 years as a journalist, researcher, and editor. His work has appeared in a variety of publications, including the Boston Globe, Computerworld, Information Security Magazine, the London Times, IT Compliance Institute, and Wired News.