5 key things business people should know about Internet Security

Last week I was asked to present at a chapter meeting of AFCOM in Chicago.  The Chicago AFCOM Chapter, along with CoreLink Data Centers, were wonderful hosts.

With a topic as broad as Internet Security, it is sometimes difficult to narrow down what people should know.  after some thought and some discussions, we decided that it would be interesting to talk about what the business should know about security.  Instead of talking about Firewall rules and false positive IPS events, I decided that business people need to understand the risks and the issues that they face.  That presentation can be downloaded to the left, but here is what I said to these folks.

  1. The bad guys are smart…. really smart. The days that “hackers” being bored teenagers with some skills and a script that they downloaded off some bulletin board are gone.  Breaching systems is a full time, for profit, organized endeavor.  Mostly it is run by organized crime or rogue elements in foreign governments, but good old fashioned gangs are getting into the business also.  They are staying one step ahead of the good guys in technology, systems, and exploits.  The statistics ore very scary.
  2. Having a breach is a business killer. This isn’t an exaggeration.  I’ve heard of studies found that 75% of businesses that had a breach in their systems and lost customer credit card data filed for bankruptcy within one year.  Coalfire (a top PCI Audit firm) estimates that a business will spend $30 PER CARD, just to notify the cardholder of a problem.  This does not count the fines and other costs.
  3. Security is not a one time event. The idea of “Oh we have a firewall, we’re good” is a bad one.  There are SQL Injection exploits, web application exploits, and dozens of other ways to breach a system that a standard firewall is not even designed to protect against.  Security has to be an ongoing posture and technological refresh.
  4. Everything is in the cloud..(Even if you don’t think it is) Cloud computing and SaaS applications have become so ubiquitous, that a worm, virus, exploit of some kind can come from places that you didn’t expect.  With office computers accessing things like Facebook, GMail, Yahoo, Twitter, Viddler, etc.. security is getting more complex, not less.  This doesn’t even take into account using cloud computing in your own IT infrastructure.
  5. If you are going to do it yourself… Be good at it. Because of all of the items listed above.  If you as a business choose to have security as an internal IT function instead of using an MSSP (Such as StillSecure, or several other reputable firms)… Make the investment to do it right.

I could have listed 7 things or 20 things or 100 things….  Business people need to be more aware of the issues so they can make good informed decisions around IT investment and risks involved with operations.  Security is not just an IT function, and we as business people need to understand that.

Tags: , , ,