Let's face it: There's no such thing as risk-free computing. Despite the inherent risks of conducting business today using email, instant messaging, and the Internet, most SMEs are still reluctant to part with large volumes of hard-earned capital on security unless they can see an obvious benefit. Because these organizations are connected to the Web predominantly via broadband or dial-up, most will have some type of antivirus software and firewall installed. The obvious advice is to update antivirus software as soon as the vendor supplies those updates and to ensure (when using Microsoft products) that you have applied all the released security patches. These two steps alone will eliminate more than 50% of the security risks to your system. Nevertheless, there are other risks inherent in our wired world. Finding the right mix means determining where your system is vulnerable and which combination of products, policies, and procedures will give you the biggest benefit for the buck.



First Things First

It is common knowledge that Internet, email, and networked computers are fundamental to the success of today's large and small businesses. With internal and external IT security threats bombarding corporate networks more than ever before, network security has quickly become a key tactic for everyone from Fortune 500 companies to privately owned mom-and-pop retail stores that wish to remain competitive. To this end, these organizations must learn to best use their available resources to maximize the security of their networks.

Dave Wreski, security expert and Guardian Digital CEO, says, "In order to gain bulletproof network security and ensure business-critical applications and information are safe, the proper tools must be integrated into each level of a system. While fully securing the entire system is ideal, financial resources are not always available to provide the most technologically advanced security applications to every aspect of a network. If this situation arises, organizations should take the appropriate steps to identify specific areas to focus security resources on." Although the entire system may not be abundantly secure as a result, it makes sense for business-critical applications to encompass a higher level of security than those that are not as significant to the successful operation of the organization.



Perform A Risk Assessment

The most obvious advice—advice we're all sure to see many times—is that in order to focus protection on the most important risks, we need to understand what the risks are. John A. Blackley, principal security architect for Citadel Security Software, says, "I see many organizations . . . putting significant amounts of energy into counteracting the obvious (to them) risks. This is fine if what appear to be the obvious risks are actually the most significant risks and the only significant risks. Problems arise when the ‘obvious' risks are the only ones counteracted but are not the only significant ones. It follows then than the most effective approach is to adopt some form of risk assessment."

According to Blackley, this is an area where the SME needs to do a little homework, as there are approaches and methodologies out there that need be none of these things. Cursory or high-level risk assessments are better than none at all, and risk assessment can be an iterative process.

Blackley isn't the only one who believes risk assessment is essential to finding the right security mix. Wreski says, "Security risk assessment is a method at which IT administrators identify individual assets, evaluate the value and sensitivity of information on the system, and work to understand potential risks to the integrity of that data." In essence, once those areas are recognized, with both existing and potential risks pinpointed, administrators can take the appropriate steps to adeptly secure them. "Performing a system-wide risk assessment gives administrators an important reference point for current system security, and by periodically repeating this process, they can continually gauge the future security needs of the company," says Wreski.

Taking an accurate risk assessment could provide some insight on areas of a particular organization that may not require as much of a focus on security. Wreski notes that any unsecured area of a network may result in potentially debilitating network exploitation. Ignoring even the smallest vulnerability can prove to be costly in downtime, recovery, lost productivity, and revenue. As a result, Wreski offers the following steps to performing a risk assessment:

• Analyze systems for potential vulnerabilities.

• Determine what effects those vulnerabilities can have on the organization as a whole.

• Evaluate the risks and determine whether existing security precautions are sufficient.

• Document findings.

• Make any necessary changes to system security based on the assessment.

• Periodically re-evaluate prior conclusions and revise the report if necessary.



Make The Time

Unfortunately, the indispensable procedure of risk assessment can be considerably time-consuming. Already strained IT departments may find it burdensome to devote manpower to risk assessment. Instead of analyzing every possible risk, it may be in the best interest of the organization to use existing industry standards and research what partners or industry leaders are doing as a basis for their own risk assessments.

Wreski contends that although the outcome of a risk assessment will always be individual to the organization, each should concentrate on a few common key areas when securing the network. An undeniably important factor to network security is system updates. System vulnerabilities and security threats consistently arise, and outdated or unpatched applications provide an invitation for system compromise, says Wreski.

Viruses, for example, are released by the hundreds every day. Updated antivirus software has the capability to identify and protect networks from the latest forms of virus patterns. Outdated virus protection, on the other hand, will not recognize newer forms of malicious code and may allow it to pass through, causing a potentially damaging infection to an internal network. Other standard IT security applications include a state-of-the-art gateway firewall, intrusion detection functions, and privacy features to defend against intrusion, data exploitation, and malicious code. "These types of security tools tend to act as the first line of defense against the onslaught of ever-changing Internet and network threats," adds Wreski.

by Douglas Schweitzer, MBA, Sc.D.