Join Focus

My Focus

Already a member? Log In

Join the Community

Where professionals can . . .

  • access resources for making business decisions
  • share expertise in functional areas of business

Begin now, it only takes a minute to become a member.

  •  
  • share
  • print

Asked by

Michael E. Dortch

Michael E. has asked 14 questions and given 25 answers.

Are You Taking IT Security Seriously Enough?

A recent study of 1,500 small businesses found that while 65 percent said the Internet was critical to their business, only 28 percent have formal Internet security policies, with only 35 percent providing any employee training in Internet safety or security. Even more troubling, while more than 90 percent said that they believe that their security policies protect their companies from malware and viruses, only 53 percent check their chosen protections weekly -- and 11 percent never check them at all.

How secure are the IT solutions that handle and store customer information and other sensitive intellectual property at your company -- and how do you know? What are you using and doing to make and keep IT secure, and how are your vendors, resellers and integrators helping, if at all?

Posted Oct. 28, 2009 in IT Security

Keywords:

Answer this question

1 Answer

Posted on Oct. 30, 2009
Michael Bacon

Once again, the results do not surprise yet still trouble me. They do not differ markedly from when I ran the Information Security Surveys in 1996 and 1998 for KPMG and advised the DTI on its 2000 Security Breaches Report.

As I posted elsewhere today, when it comes to the technology element of "IT solutions" it matters little how secure each component is nor too much how well they work together. The big issue is and probably always will be ... people.

The best way of addressing the people element of the "IT solution" is through a combination of preventative and detective controls. The preventative controls should be sculpted to facilitate the business whilst imposing normally unseen restrictions on the improper processing of data. The detective controls are there to report on potential as well as actual breaches of policy.

Having mentioned 'policy', I will point out that this is a primary control, but it must be (a) communciated and (b) understood. This latter aspect provides the first metric. You need to measure people's understanding of the policy on a frequent basis (at least annually).

Thereafter, measure both success and failure and share the results with everyone. Remember to include in your policy that you will monitor, measure and publish activities involving those data you wish to control strictly. It's easier to measure failure in security regimes, so try to move the balance towards success.

Add an Answer

*  
*  

Focus reserves the right to delete inappropriate comments. Please see our Terms & Conditions to learn more.

* required
Focus Community Recommendations
Readers of this Question were also interested in:
ASK THE FOCUS COMMUNITY
Have a pressing business question and no one to turn to? You've come to the right place.
YOUR QUESTION
FURTHER DETAILS

Recent Community Activity

Loading...
TOTAL FOCUS CONTRIBUTIONS - 31,973
Focus Newsletter
Get the latest research and advice from
Focus delivered right to your inbox.