PaulDotCom mailing list archives
Re: IT Security Topics for Small Business
From: Conrad Constantine <conrad () 1211 net>
Date: Mon, 03 Dec 2012 02:39:19 -0500
On 12/2/2012 10:57 AM, TheTolik wrote:
I am working on creating a guide to IT Security to help companies without or with a minimal IT budget protect themselves and their customers,
I think the one thing that's really appropriate for smaller businesses moreso even than larger ones (because the larger enterprises have greater resources to ensure their survival after any major security incident), yet often gets glossed over in materials like this... is a good risk assessment.
Small business encounter the common "Security at All Costs!" attitude and just throw their hands up at the impossibility of it all. The generic one-size-fits-all "security awareness" material that gets thrown up at them isn't of much use either.
Teaching small business owners to identify the risks to *their* business that security issues present can be critical - while a banking trojan in the right place at a major organization can create some major paperwork and insurance claims, that same trojan at a small business can end up in overnight bankruptcy ("what do you mean 'all the money is gone!?").
So when small business encounter the same wall of "Everything Must Be Secured!" our profession puts forth, they are likely to prioritize resources inappropriately and shore up iron doors in paper walls based on fear-response to threats instead of rational assessment.
As other people have mentioned, perhaps the greatest risk factor to small businesses are the use of ad-hoc, unmeasured, unmonitored processes - the lone accountant who keeps the only copy of the companies financial records on a laptop with no backups, the system administrator who uses the same machine he manages the companies systems from, to browse sports scores during lunchtime..
So when I see "Security Awareness" in a list of things to cover, I can't help but assume this is limited to the usual list of "Don't Play In Traffic" tropes that get rolled out to (and ignored by) everyone.
Tl:Dr - Include a section on Basic Business Continuity planning - teach people to think about ways that someone with access to their computers could destroy their business and then use that information to put everything else in the handbook to use. Death to "Security for Its Own Sake"
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IT Security Topics for Small Business TheTolik (Dec 02)
- Re: IT Security Topics for Small Business Steven Perez (Dec 02)
- Re: IT Security Topics for Small Business TheTolik (Dec 02)
- Re: IT Security Topics for Small Business Bugbear (Dec 02)
- Re: IT Security Topics for Small Business Hevnsnt (Dec 02)
- Re: IT Security Topics for Small Business allison nixon (Dec 02)
- Re: IT Security Topics for Small Business Hevnsnt (Dec 02)
- Re: IT Security Topics for Small Business gold flake (Dec 02)
- Re: IT Security Topics for Small Business Conrad Constantine (Dec 02)
- Re: IT Security Topics for Small Business Arch Angel (Dec 03)
- Re: IT Security Topics for Small Business TheTolik (Dec 07)
- <Possible follow-ups>
- Re: IT Security Topics for Small Business Herndon Elliott (Dec 03)
- Re: IT Security Topics for Small Business Bradley McMahon (Dec 03)
- Re: IT Security Topics for Small Business Josh More (Dec 03)
- Re: IT Security Topics for Small Business Brian Erdelyi (Dec 03)
- Re: IT Security Topics for Small Business Bradley McMahon (Dec 03)
- Re: IT Security Topics for Small Business Arch Angel (Dec 03)
- Re: IT Security Topics for Small Business Bradley McMahon (Dec 03)
- Re: IT Security Topics for Small Business Steven Perez (Dec 02)