While investing in better security from a monetary standpoint is certainly not a bad thing, some of the most effective security is free. Educating employees on best practices, potential threats and maintenance is a great place to start. Most businesses leave security to the IT team and think that the responsibility ends there. In reality, everyone from the shareholders to CEO and custodial staff should care about security.
Consider the fact that custodial staff has physical access to your offices for example. What types of security do you need to protect against a physical attack? If a janitor forgets to lock an external door, or worse yet, has personal intent to steal from your business, where are you points of failure? Perhaps individual offices, servers and switches should have separate lock and key access. Systems could be powered down during hours the office is closed, with any type of activity triggering an alarm. Rather than physical office keys, maybe digital ones are used instead so when an employee is let go, the business can remain confident in who has access. These are just a few things that may or may not have a cost associated with, but the first step is absolutely free: thought and consideration to points of entry.
Play through another hypothetical, this time with a contracted software engineer. While laws, contracts and intent should be ample protection from the contractor themselves, consider the fact that they, for a period of time, might have full access to your tech infrastructure. What are your processes and procedures following the contract to ensure that they have wiped any intellectual property or access? Do you have a process for changing security credentials and keys on all the critical layers after they are finished with the work? Where are you storing these credentials? Once again, the questions you can ask yourself and the processes you can implement for your company on this front, can have little to no cost.
es you can implement for your company on this front, can have little to no cost. Physical and credential security are only the beginning. Education and understanding may be the most important first step towards creating a more secure system and business. While compliance may feel like having your teeth pulled out, reading through and understanding industry reports, such as the white papers by Verizon and Veracode are both informative and quite enjoyable. Passing along this information amongst your employees and partners will kick off many internal discussions about assessing and protecting the company from the ground up.
While it may seem like throwing more cash and software at the problem would make things better, the reality is, it can make them much worse. While security software can be incredibly valuable, the programs and tools themselves, can contain vulnerabilities. When building security software, most companies are focused on how to break other software rather than how to build their own. The mindsets are very different, and while each has a place and value, they should work in tandem for the most effective results. Thus, many security consultants will tell you “less is more” when it comes to protecting systems. Physical security, hardware, and proprietary tests can be incredibly effective, especially when compared to off the shelf antivirus software or intrusion technology.
Even when it comes to hardware devices and internal tools, many businesses fall short in following through with the integration of these devices or tools. Furthermore, many of these are very generic intrusion detection tools, and the like, which do not cater to the unique networks and operations of an individual business. Hiring software engineers as contractors or consultants is often a much more effective way at securing your business, as they will lead you towards building custom tools that fit your specific needs and vulnerabilities.