Feature Story

Don’t Let Your Guard Down

Most companies spend decades establishing their reputations and attempting to guarantee their longevity. They invest in the most advanced devices and keep up with emerging technological trends to ensure they get a leg up on the competition. The problem is that evolving alongside IT advancements can be costly, especially since most businesses are being forced to lower their budgets and create prioritized lists of what to keep and what to let go.

The truth is that security solutions should be viewed with (or close to) the same importance as the computers, smartphones, and other devices they are meant to protect.

"Security should be second only to the absolute mission-critical applications," says Mike Donnell, CEO of eSoft (www.esoft.com). "The idea being that once you have covered the costs to implement and support mission-critical functions, the next thing you need to do is to secure them to ensure they are available and that your critical data and ability to operate are not impaired."

Knowing the importance of security is an important step in the process, but it's only the beginning. From there, you must understand how cutting your security budget can negatively affect your company; what infrastructure, applications, and data need to be secured and how to properly protect them without incurring major costs; and how to prevent future threats, which can end up being much more costly than putting preventative measures in place from the beginning.

Cost of Cutting Your Security Budget

If you're thinking about cutting your security budget, remember that the technological foundation of your company includes data that hackers and other outsiders are hoping to access. "If something has value to you, it has value to others," says Chris King, director of product marketing at Palo Alto Networks (www.paloaltonetworks.com). "And if it has value to others, and you don't protect it, it will be stolen."

You must also understand that as your company continues to evolve, so will outside threats, which means that you will need to continue investing in security for as long as you're in business. If you don't, you might not see the true importance of security until it's too late. "Cutting back on security usually means that the likelihood of stopping and properly handling threats diminishes," says James McMurry, president and CEO of Milton Security Group (www.miltonsecurity.com). "Many times, return on investment is hard to track with security until you cut back on it. The first time your data is breached or your network is taken down due to malware or a virus will be the first time you can judge the true cost of security and budget cutbacks."

Investing in security can also be viewed as a money-saving tactic in its own right. According to Donnell, "companies can actually reduce their IT spending by investing in preventing security events, such as intrusions or virus infections, since the costs of reacting to these events in hard costs—like PC hard drive clean-up or replacement—can far exceed the costs for a good comprehensive security solution."

Extensive security measures are like insurance policies. You pay a price up front to put them in place, but they will protect and keep you covered in the event of an unforeseen security breach. For this reason, they should be higher on your budget priority list. In fact, McMurry recommends that most companies have a "bare minimum of 5% of IT budget geared toward security," unless they handle particularly sensitive data or "are bound by agencies like NERC, FERC, or HIPAA," in which case security should be a minimum of 20% of the budget.

Employee-Based Security Improvements

Not all security measures will involve technology investments. Some don't require any additional costs at all. Security attacks and breaches are often the result of human error, so a logical place to start is with employee education. "Knowledge is power," says McMurry. "Threats keep changing, and knowing what's out there is the best way to keep your company prepared."

Other experts agree with McMurry, including Donnell, who says that "eSoft is finding 15,000 new viruses per day." And these viruses are taking advantage of established Web traffic patterns. Donnell says that "60 of the top 100 most frequently visited websites hosted or redirected users to malicious content and 40,000 unique phishing sites are launched each month." If you can train your workforce to spot potential virus hotbeds and show them how to avoid phishing sites and scams, it will make it much easier to prevent the smaller intrusions that can lead to large-scale security disasters.

One way to do this effectively is to institute security policies for your entire company. These policies should lay out what employees are allowed to do and what types of situations they should avoid. Also, when formulating security policies, companies must look at the nature of the business itself as well as what needs to be protected. "Companies have to figure out for themselves what kind of policies they want to adopt," says Donnell. "Some companies are very risk tolerant and others are much more risk averse, but every organization must figure out what kind of benefit vs. risk balance they should strike."

Donnell says that policies should be simple enough to avoid confusion, but detailed enough to leave no room for interpretation. He recommends that companies simplify the translation between the IT department and employees and to avoid "arcane mixes of ports, protocols, IP addresses, and URLs." Instead, policies should focus on the uses of specific applications, security protocols for sensitive data sent via email, and other situations. Setting up a series of policies for employees to follow is one way to add little or no additional cost to your IT budget while simultaneously improving the overall security approach of your company.

Know What Needs Protecting . . .

After you've educated employees and instituted policies, it's time to look at the security needs of your company on an application-by-application and device-by-device basis. Almost every facet of your company will require a different form of security targeted directly at the needs of that specific app or device, so you should look at what programs and products your employees are regularly using. For instance, some companies don't require their employees to travel, which means that laptop or smartphone security may not be a strong focus. But other companies may have a fully mobile workforce that need external access to the company network, which requires additional security measures.

In the same way it wouldn't make sense to put an elaborate surveillance system around a woodshed, it isn't financially responsible to purchase more security solutions than you need. But on the other hand, it isn't a good idea to be unprepared without at least enough security to protect the most crucial resources of your company. Most businesses will need to protect computers (whether they are desktops or laptops), mobile devices (such as smartphones or tablets), and the internal network. By surveying your company's technological landscape, you can determine what needs to be protected and what types of solutions will be best to implement.

. . . And How To Protect It

After you've determined what products your company needs to secure, you can start looking at possible solutions for those devices. McMurry recommends categorizing devices into mobile and non-mobile groupings to make the solution selection process easier. "Non-mobiles, such as desktops or servers, have the advantage of not moving off the network," he says. "But mobile devices, like laptops, tablets, and smartphones, tend to be used in the wild, exposing them to threats more often."

In terms of non-mobile device security, you should put a strong focus on email and Web-based threats. According to Pierluigi Stella, CTO at Network Box USA (www.networkboxusa.com), all outgoing emails that contain any kind of sensitive information should be encrypted. For incoming emails, Stella recommends an "email gateway proxy or mail transfer agent," that prevents remote servers from making a direct connection to the server, but still allows you to safely view the information inside. A solid email security solution will also quarantine spam emails.

For the Web, it's a good idea to invest in a comprehensive antivirus suite that not only finds and removes viruses with a scan, but also prevents access to suspicious websites and stops malware before it gets through. An antivirus suite with a central console will be helpful for your IT department as well and make it easier to address potential issues.

Mobile devices, such as laptops, tablets, and smartphones, have their own particular issues, as well. Wi-Fi policies must be introduced that will help mobile workers discern which networks are safe to access and which ones aren't. Public Wi-Fi hotspots are particularly dangerous for these devices and can lead to stolen data, so it's important to make sure a network is safe before connecting. Companies can also put a private network in place that will give traveling employees safe and secure access to internal company resources. You can also prevent access to this or any other type of network with a network access control system that will block unwanted outside connections.

Another way to protect a company's internal network is with a UTM (Unified Threat Management) solution, which serves as a gateway between your network and the outside world. And perhaps the best feature of UTM solutions is the ability to scale them up or down as needed. "A high quality Unified Threat Management device includes protection from all types of threats at an affordable price for any size office and can be easily upgraded as traffic needs increase," says Donnell.

In the end, it takes a combination of wide-ranging security solutions to fully protect your company and employees. You can start with a simple firewall that prevents access to your internal network, but each individual device will need its own specific solution. In essence, the more layers you can add to your security approach, the better protected your company will be.

Be Up-To-Date & Ready For Change

Even if you have all of your devices properly secured with the correct types of solutions, it isn't the end of the road. You must regularly test your security, either internally or externally using an outside firm, to ensure that everything is working as it should. You have to make sure all of your solutions are updated and upgraded as necessary. Security software titles, especially antivirus programs, are often updated with tools to prevent the newest threats from attacking your company.

In addition to simply updating your security measures, you should always be on the lookout for new ones. "Unfortunately, security is not a destination, it is a process," says King. "As technology changes, businesses grow, compliance requirements change, threats change, and even the risk tolerance of organizations changes, security has to adapt. Furthermore, evolving the approach to security is important, because one cannot expect to secure brand new application and devices with 10-year-old technology. Security needs innovation too."

Read this article interactively

Return to: 2012 Feature Stories