| The cold war was political. It's over. World | | | | Proactively preparing your busiÂness with |
| War III is an economic war. It's here - it's | | | | a comprehensive security asÂsessment and |
| now. Information is where the money is and | | | | plan is far less expensive. According to |
| theft is easy, safe, and lucrative. | | | | David Bauer, first vice preÂsident, chief |
| Eavesdropping and other high tech relatÂed | | | | information security and privacy officer at |
| crimes are difficult to enforce and prove. | | | | Merrill Lynch, a key component of any |
| Advancements in electronics and optical | | | | strategy is a dynamic risk assessment. By |
| electronics have made communiÂcations | | | | using tools such as scanners, log analysis, |
| interception easy and cheap. Business ethics | | | | risk metrics and asset inventory that produce |
| don't have the same value as they did in the | | | | a biweekly security report you can more |
| good old days of the "deck of punch cards" | | | | quickly analyze and prioritize current or |
| computing. | | | | potenÂtial threats. This approach allows |
| | | | organiÂzations to move from a |
| IT and business security is becoming more and | | | | circle-the-wagons approach to intelligent |
| more critical in today's commercial | | | | risk management. |
| environment. Every day we are faced with new | | | | |
| computer risks, viruses and new "ideas" from | | | | With an intelligent risk manageÂment |
| hackers on how to gain acÂcess to our | | | | solution the percentage of the IT budget that |
| network or other systems or physical | | | | needs to be spent on effective risk |
| locations. Fortunately, there are even more | | | | protection is actually far less than what |
| sophisticated business soluÂtions out | | | | your competitors will be forced to spend. The |
| there that can be implemented to secure us | | | | answer is not about how much you spend but |
| from these dangers. These can be anything | | | | how well you spend it. This way about half |
| from simple firewalls up to very expensive | | | | the spendÂing is advisory, helping build |
| encryption and biometric authentication | | | | secure systems, while the rest goes toward |
| solutions or remote comÂmunication | | | | risk management, prevention and response. For |
| modules. These new business realities affect | | | | instance it is easy to get somebody's |
| you as much as it does your competitor - no | | | | password, so the damage that can be done by |
| matter what your line of business. The | | | | an individual has to be as small as possible. |
| question is how can you protect your | | | | William Farrow, CIO at the Chicago Board of |
| organization, no matter how large or small, | | | | Trade, told how a woman cleaning a conference |
| from the known and unknown security dangers | | | | room beÂcame suspicious of a laptop left |
| and risks to remain as competitive, and | | | | running overnight. She reported it to |
| therefore profitable as possible? | | | | security, and it was later discovered that |
| | | | someÂone had left the laptop running port |
| What about all the other business risks that | | | | scanning software aimed at penetrating the |
| are also getting more sophisticated? Have you | | | | corporate computer network. In this case even |
| considered all the risks that cannot he | | | | an employee at the lowest level of the |
| covered by technology? What about the human | | | | corporate structure was made aware of the |
| side of business? No business can function | | | | potential damage that can be done to the |
| without the human touch. Yet how do you know | | | | organization with a security breach. In |
| when that necessary "human touch" is about to | | | | corporate or IT security, emotional |
| reach out and touch you in the form of an | | | | reactions, panic and legislation are |
| "insider" attack? Have you thought about your | | | | counterproductive. But intelligent approaches |
| employees behind the technology? How about | | | | can safeÂguard your organization or |
| social re-engineering forces or disgruntled | | | | business from an uncertain future and |
| employees? When did you have your last | | | | substanÂtial financial losses. |
| corporate risk assessment completed or even | | | | |
| considered if ever? | | | | If you ask CEO's of large corporations, who |
| | | | have gotten even low-level employees to be |
| As a person you are prepared for the | | | | savvy about security, you get advice on |
| unexpected: you face the unexpected several | | | | employee education: "Make it a part of daily |
| times a day without giving it a second | | | | conversation in every project meeting. Make |
| thought. You follow the rules of the road | | | | it clear that every project has |
| when you drive because you know it is the | | | | responsibility for security. You have to make |
| right thing to do. You purÂchase insurance | | | | it part of day-Âto-day operations." |
| for yourself and your car, carry health | | | | Adherence to clearÂly defined security |
| insurance and life insurÂance because you | | | | principles should be a part of each employees |
| know it is the right thing to do for your | | | | contract. It is also important to publicize |
| family. Unfortunately, with many of the | | | | employee caused security incidents |
| business risks of today there is no "red | | | | internally, not necessarily naming the |
| light, green light" to tell us when to stop | | | | employee who made a mistake, but doing it in |
| arid when to go. But how can you say you are | | | | a way that others learn from the error. Those |
| sorry enough to your customers, when you have | | | | organizations or businesses that have evolved |
| to tell them some hacker has posted their | | | | a system of process improveÂment as a |
| credit card number on the hackers web site? | | | | natural consequence of their business demands |
| When it comes to your organization or | | | | are those organizaÂtions or businesses |
| business, have you put the same level of | | | | that will excel and win the security wars. |
| consideration into how your employees and | | | | |
| customers will continue to rely on you should | | | | The main key beÂtween companies that have |
| the unexpected happen? | | | | implementÂed a dynamic security plan and |
| | | | those who have not is: preparation. |
| If you're like the Senior Executive or owner | | | | PreparaÂtion requires a focus on risk |
| of most companies, the answer may be a | | | | manageÂment, intelligence-driven |
| frightening "No, we have never had any | | | | identification, prevention and response. A |
| comprehensive business risk assessÂment | | | | good organizational or business security |
| completed." Or worse yet, perhaps you have a | | | | strategy is built around these |
| false sense of security in a plan that was | | | | princiÂpals: threat management, including |
| developed several years ago. With all we hear | | | | inÂtelligence, planning and instant |
| about how high the price of security can be | | | | reÂsponse; comprehensive security |
| these days you may find yourself saying, | | | | services; attention to public policy, |
| "Investing in a security and privacy solution | | | | inÂcluding active attempts to educate |
| is expensive; too expensive for our | | | | legÂislators; and an agile response to the |
| organization or business right now." But can | | | | changing risk environment. After all, as we |
| you afford to risk spending more than 15, | | | | have learned, an intelliÂgent security |
| times the cost of preventing a security | | | | response needs to be everyone's |
| breach or a communications breakdown when the | | | | responsibility and it is not always limited |
| unforeseen does in fact hapÂpen? | | | | to technology and IT seÂcurity that |
| | | | matters the most. |