There has certainly been a deluge of federal, state and private industry information security regulations, and small and midsized businesses (SMBs) are perhaps the hardest hit. Contrary to all the marketing hype and general belief, there are reasonable ways you can bring your SMB into compliance and stay without having to spend tens of thousands of dollars on technology and other overrated solutions to this problem.
It seems that for every information security assessment I perform, the general outcome is not recommendations to install the latest and greatest firewall, encrypt everything in sight, or lock down every computer to the point of minimum usability. Instead, the recommendations usually involve making changes in the "soft" areas of security -- namely business processes. Obviously, it still costs money in the form of time, effort and other personnel resources to make such changes, but it doesn't have to be that expensive. This is especially true if you have in-house staff that can help with your compliance requirements.
Without performing an information security assessment, here are 10 items that, when implemented properly, I guarantee will buy you more bang for your compliance buck than anything else:
- Spend as much time securing the inside. This includes file access controls and network passwords as you do externally accessible systems, as this is where many security breaches occur. Maintain your security testing and audint as well, as it's much less costly than a complete network revamp or recovery from a malicious attack.
- Create a regulatory compliance committee. Include human resources, legal, IT and an upper management representative if possible. Such a committee can help ensure that resources are spent only where they need to be.
- Start with security policy templates. These can be downloaded free from the Internet or are available in scores of low-cost information security books when putting your initial policies in place. You can find a good policy document format on SearchSecurity.com.
- Keep documentation and technologies as simple as possible. This allows everyone to clearly know where the business stands in terms of what can and cannot be done. It helps to minimize technical administration needs.
- Use existing security controls. Instead of buying third-party solutions, buy controls that are already built into your operating systems and applications such as password enforcement, personal firewalls, access controls and logging.
- Focus more of your efforts on securing "where the money is." Focus on the systems that store or process confidential or sensitive information and place less effort on your less critical systems (but don't completely ignore everything else).
- Invest in an in-depth security assessment. Do this up front using the right tools, employee interviews, building walkthroughs and business process reviews. If you do it right the first time and implement solid controls, your security will be less costly and much easier to manage long term.
- Consider purchasing integrated security appliances. These provide firewall, malware, content filtering and other protective measures where possible if you must purchase more technology to help enforce your policies.
- Look long and hard at all areas with which you think you have to comply. This is especially true if the regulation "suggests" you implement a security control but you can document a good business justification otherwise.
- Focus strongly on employee security awareness and staff training. Resources spent in these two areas can improve your information security as much as everything else combined.
Information security and regulatory compliance aren't easy, and nothing good is free. However, if you approach the requirements for doing business in a high-tech economy with some common sense and keep things simple and practical, your small or midsized company -- and especially its cash flow -- should be quite all right.
Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
