General security

SMBs should start with simple solutions to manage security risks

April 14, 2015 by John G. Laskey

The growth and persistence of cyber attacks and the way rapid changes in technology leapfrog over security countermeasures have shifted the emphasis of security from front-line defense to one of recovery of services after attacks take place.

But there’s still a long road ahead for small and medium-size businesses to effectively manage privacy and security risks. The first step, usually the hardest, can be made simple: The organization should list its most valued and useful assets. Sometimes this turns up surprises. It may have overlooked the importance of assets essential to its operations—for example, a frequently used customer database or an essential benefit provided by a supplier that hasn’t been formalized or stress-tested.

Second, the organization should consider the reasons it started its security cyber journey. Perhaps it was failure of legal or regulatory compliance, or loss of private data that resulted in loss of business. What emerges is a rough cut of the organization’s risks. When placed against the list of assets, security priorities begin to take shape.

The third step is a review of what others are experiencing that might impact the organization’s own operations: Is there something in recent headlines about theft or hacking of personal data that could affect it? This can be added to a basic list of threats. Likewise, any threats that have no obvious remedies (e.g. a requirement to use mobile devices) might form a separate list of vulnerabilities.

So even before SMBs consider more complex risk assessment methodologies, they will have a grasp of assets, risks, threats and vulnerabilities. It is not a technical approach, but that’s a good thing. Some methodologies (ISO/IEC 27001) nail responsibility for security to the top of the organization. So a simple assessment led by managers will give them a key stake in any more comprehensive evaluation. These come in many flavors, but some are free and do not require technical understanding. For example, the OCTAVE Allegro method is widely used.

Once a risk assessment has been produced, it should be put within a framework that ensures its continuation and development. Again, there are several available and some require time and resources to implement.

The federal government recognizes the need for organizations supporting critical national infrastructure to have effective cyber security practices in place. In 2014 NIST published the Cybersecurity Framework, a free publication cross-referenced to well-established methodologies like COBIT 5 and ISO 27001. It is designed to organize effective incident response measures and helps organizations assess the efficiency of their security measures. It also provides an ongoing process of assessment that enables security to be improved.

Setting out on the path to effective management of security risks—especially for the first time—can be intimidating. The approach should be taken one step at a time and should tune out the more complex terminologies and methods. With the right approach and tools, solutions can be simpler than they might first appear, through the application of common sense and awareness of the useful, free tools available.

More articles on emerging best practice:
3 steps for figuring out if your business is secure
5 steps to secure cryptography keys, digital certificates
6 steps for stopping hacks via a contractor or supplier

Posted: April 14, 2015
John G. Laskey
View Profile

John Laskey is a US-based security consultant who previously worked in the British government, where he was responsible for securing systems and advising senior managers about major programs. In the US, John has taught the ISO 27001 standard and is now helping develop and market new InfoSec products and services. He is a member of ISSA (New England Chapter).