By Gregg Larson
This last year we’ve seen brokers make multi-million dollar payouts on information security breaches. No doubt these brokers wish they had taken more of an active interest in security before the incidents occurred. Information security is an effort that needs to start from the business owner-and includes not only computer-related security, but physical security and personnel practices. But since part of the effort is technical, how can the business owner achieve a proper level of oversight?
The first step is having an Information Security Assessment performed by a qualified third party. The assessment should ensure that its customers have enough information to make good business decisions balancing cost, effort and risk to mitigate security issues. Once security issues are both visible and prioritized, business owners can schedule risk mitigations and provide project oversight. The company performing the assessment should work with staff to ensure that they have all the tools in place to continually assess information security practices-business owners should be regularly reviewing executive level reports from staff summarizing the current level of business risk.
Another part of information security is including information security standards in contracts-providing methods for protecting data and means for monitoring security practices, and for providing remedies when vendors don’t meet those requirements. Most industry contracts that Clareity reviews don’t address security or do so only in the most cursory manner.
One of the tools that Clareity Security recently has provided the industry to allow business owners to provide a level of information security oversight for their own staff, software providers and web hosts is called HACKER SAFE®. This tool provides daily testing of exposed web sites and servers against a comprehensive, updated vulnerability knowledge base and sends email or pager alerts when new vulnerabilities emerge. This is the same scanning service used by Visa and PayPal, and the Hacker Safe certification is seen on sites such as the American Red Cross, GMC, Toshiba, Yahoo! and SONY.
Why aren’t business owners doing their part to assess, monitor, and address security issues? Sometimes they think their IT staff is taking care of it already. Sometimes that IT staff doesn’t know what they don’t know-they’re not specialists in security but believe it’s under control. Sometimes they know there are problems-at least they know about some of them-but always think that time to fix them will soon come (but it never does). Finally there are those that would love to convince their bosses to allocate resources to information security-but they know that will probably not happen until it’s too late and there has been an incident.
I urge you not to wait-have an assessment performed, have a project in place for risk mitigation, a process put in place for regular re-assessment, and use tools like Hacker Safe to provide ongoing monitoring of your exposed servers and software. Taking reasonable steps to avoid the monetary and reputation costs of a security breach just makes good business sense.
For more on information security or HACKER SAFE please visit: www.ClareitySecurity.com.