“Online Business & Social Media – The Good, the Bad and the Ugly……..”

Social Media is becoming an increasingly popular tool in business and adding to a vast array of online services available. Whilst the benefits are evident, there are a number of things to consider in order to protect you and your business. In this short presentation learn how to avoid common security pitfalls and ensure that your organisation maintains a professional image when using social media and interacting with an online world.

As well as our presentation the Employers Forum will also have discussions on:

“Managing Marketing Priorities” presented by Jean Atkinson of Eden Marketing Ltd

Managing priorities is one of the main challenges facing SME business owners and marketing is usually up there vying for resources. Jean will be providing essential marketing advice to ensure that you start 2012 on the right footing. You’ll walk away with marketing tips on planning your marketing activity, an overview of which marketing tools to use and how to measure your return on investment.

If you would like to attend the event or would like to be kept informed of future events click here or contact:

Amin Vepari
Community & Business Partners CIC
Tel: 01254 505050
Fax: 01254 505051
Email: amin@cbpartners.org

Does compliance actually mean better security?

The simple answer is that in and of itself, no, compliance does not improve security.  Compliance and security are two different things.

In my opinion, compliance is primarily about reporting, arse covering and finger pointing.

Security on the other hand, is about truly protecting information and requires changes to your corporate attitude, systems and people.

Compliance is a box ticking exercise designed to show that an organisation has a pre-defined minimum level of security.  The key points here are “show” and “minimum”.

When we talk about compliance you don’t get extra points for having better than the minimum required level of security.  You don’t get to include other aspects of security, which may have been implemented by your organisation but which aren’t required under your compliance regime.

And where your organisation meets your compliance requirements, it doesn’t mean that the security in use has been implemented effectively.

Real security is achieved by marrying 5 key areas using a risk-based approach:

1. Corporate Culture

Adopt a “Culture of Security” within your organisation.  This really means a top-down approach, getting business owners and senior managers to not only understand why security is important, but have them adopt it as a philosophy which can then passed down through the various levels of the business.

Only where an organisation emphasises security from within its very culture will staff, employees, temps and contractors understand and accept their own part in securing corporate or personal data and take it seriously enough to care.

2. Policies and Procedures

If having a “Culture of Security” is vital to improving security within your business, then suitable guiding principles, policies, standards and guidelines (collectively known as Information Security Policies) is how that approach should be implemented.

Information security policies are often cumbersome, “legalistic” documents which are issued to staff perhaps once at the start of their employment.

However, this approach doesn’t work.  Most staff don’t read them thoroughly or merely flick through them.  And the overly legal language often used is unlikely to encourage readership, let alone understanding.

Information security policies should be written in a simple to understand manner and kept as brief as possible for the organisation in question.  Only this way will they ever actually be read, let alone understood and acted upon!

They should also be regularly reviewed and reissued to staff to ensure any amendments are understood and adopted.

3. Training and Awareness

Which brings us on to training and awareness.

Staff are usually the weakest link when it comes to security.  They are also your best defence if they understand their roles properly.

Staff implement technology.  They design and build systems, create processes and procedures and handle information on a daily basis.

With the proper training and an understanding of security they can do all of these tasks far more safely.

We educate people about Health and Safety, we train people on First Aid and Emergency Procedures, but how many organisations actually train their staff how to protect information, why it’s important, what to do following an incident and where to go for help?

This step alone can massively reduce an organisation’s information security risks and it is probably one of the cheapest and most cost effective solutions any business could implement – offering much better value for money than many technology based solutions.

4. The Right Technical Solutions

Which brings me on to technology.

Technology is amazing.  It can help us achieve so much in terms of security and there are new solutions to problems we never knew we had coming out all the time.

But knowing what to implement and doing so effectively is essential.

As we have already seen, technology is not the panacea many think it is when it comes to security.  Sure it can do an awful lot to protect things but the simple fact is that if it is the wrong solution for your business or it is implemented badly then it is not going to provide the protection you were looking for.

So getting the right advice, speaking to professionals and not being “sold to” is key to ensuring the solutions you employ are right for your business.

Then you need to make sure that the technical you’re using to protect your data is implemented properly.  It’s no use having loads of amazing systems if they all have the default usernames and passwords or have been installed on platforms which haven’t been properly security hardened.

All you’re doing then is moving the problem around.

5. Test Your Security

Let’s face it, you might have the best security in the world or you might have the worst – but unless you actually test it you will NEVER know.

Penetration testing is one way.  This is where professional “hackers” are paid to attempt to break in to your systems.  It is a great way of testing your infrastructure and defences.  However, it is only ever a point-in-time test and new vulnerabilities or changes to your systems and architecture can negate the results instantly.

Vulnerability assessments provide an on-going check of your infrastructure and can instantly highlight any issues or areas of concern.  They can also often be used to model changes to your network before you apply them, to see how it affects your overall security.

In addition to technical security testing, other approaches can be used to target the people and operational aspects of a business including social engineering, physical access and business continuity testing.  These tests are designed to test your training, staff awareness, access controls and your business’s ability to survive and recover from the unexpected.

Where possible some or all of these should be performed on a regular basis, and often as a surprise rather than as a scheduled activity, to give the test a genuine feel and provide more realistic results.

Conclusion

So do you want security or compliance?

Compliance is probably cheaper and easier to obtain, although this may depend a large part on the regime you’re complying with.

Real security on the other hand is probably more expensive and involves more work.  But ultimately it is also giving you and your clients something more.  It’s providing a genuine level of protection for sensitive information and truly helping to safeguard data.

But the truth of the matter is that corporate and international espionage is rife, with foreign nations, corporations and organised crime syndicates looking to infiltrate the corporate networks and access data, systems and information of the UK’s leading companies.

The reason for that is quite simple; they want access to corporate secrets, designs and business plans.  They want to compromise the security of our companies for their own profit, to gain competitive or financial advantage.

The problem encountered by these attackers is that most large organisations implement measures to prevent such attacks.  They spend lots of money on technical infrastructure designed to counter attempts to access internal systems, they implement information security policies and processes which reduce the risks associated with a security breach, and sometimes they even implement programmes to educate their staff on how to protect sensitive information.

They have the financial ability, the know-how and the skills to do this.

But that isn’t true for many of their supply chain companies.

Supply chain businesses – those that provide design, manufacturing and other services to larger corporations – are coming under increasing attack.  That’s because they don’t have the resources and understanding that their larger clients have, and the attackers know this.

The fact is that many supply chain businesses still deal with the same sensitive information on behalf of their larger clients.  This in itself makes them an inviting target but also, because of their reduced levels of security, awareness and capability, it also means they are an easier target to penetrate.

So what should such businesses do to improve security?

There are a number of steps any sensible business can take to improve security:

1. Engender a “Culture of Security” – take a top-down view with full management buy-in, showing your commitment to security and encouraging it at every level of the business;

2. Implement Policies – security policies formalise your approach to security, making your requirements clear to all staff;

3. Employ appropriate technologies – make sure you make use of the appropriate technologies for your organisation.  This doesn’t have to be expensive but it can drastically reduce your risks;

4. Educate your staff – employees are your first and last line of defence, as well as often the weakest link.  Educate them to protect your business interests and safeguard their own information;

5. Test your security – without testing you have no idea if your controls are working.  In the context of the current topic you should at least test your internet facing infrastructure, but it is also worth implementing a programme of spot-checks to ensure your staff are maintaining security and understand their roles and responsibilities.

Analysis undertaken on behalf of the Information Commissioner’s Office in 2010 revealed that when it comes to information security, SME’s are the “soft underbelly” of the UK economy and critical national infrastructure.

We have had some thought-provoking discussions with clients and seen both sides of the information security picture.

On the one hand we have seen both major corporate clients and smaller SME businesses who seem to pay little heed to their information security responsibilities or at best offer lip-service to the requirements.

On the other hand we have seen businesses and at least one major corporate client who take their responsibilities very seriously indeed, to the extent that their very processes are derived around a set of well-documented security requirements.

The difference is very much one of attitude.

The businesses that pay lip-service or less to their information security responsibilities see them as a burden, a cost and interference to their way of doing business.

This is a top down cultural issue which can only be remedied at the highest levels within the management structure of the organisation.

It isn’t something that can be fixed by employing more security specialists, by ICO adjudications or by the odd edict from above.

Security has to be built into the organisation and backed up with meaningful management buy-in and relevant decisions, policies and processes.

I have mentioned before in an article for the FT.com how engendering a “Culture of Security” is critical to real, genuine levels of information security and this is still the case – borne out by this one week of customer interaction.

We have also recently had discussions with the named individuals identified by the ICO following data security breaches.  They really haven’t enjoyed the experience of being publicly named and held to account – it doesn’t look good on their CV.  And these are people at the top of the organisational hierarchy not the individuals responsible directly for the security breach.

So apart from being essential for good information security practices, senior management have a vested interest, from both a corporate and personal perspective, for developing and encouraging security within their organisation which has real muscle and isn’t just a box-ticking exercise.

Senior management need to change their attitude to match those of their more responsible counterparts and bring in a philosophy whereby information security is seen as a plus – a real, tangible business advantage that reduces business risk, provides real benefits to their customers, and enhances their organisation’s reputation.  After all, poor security practices have exactly the opposite effect and both approaches cost money.

But education is an important aspect in all areas of life and shouldn’t stop when we leave school, college or university.

Many businesses and other organisations spend huge amount of time and money educating their employees on various aspects of their business operations – technical training for their specific roles, training on health and safety procedures, on company processes and even sometimes on company policies or legal and regulatory responsibilities.

But how many educate their employees, staff and managers on good information security practices?  On understanding what information security actually means, why it is so important to the employees and the organisation, on who the threats are and then how to mitigate the risks?

Information security starts and ends with people. They define the processes and procedures, they are involved in protecting information, they are the most effective safeguard you have and they are the responders when an incident occurs.

But they are also the weakest link in the security chain which is why it is essential to invest in their education.

Properly trained staff, who understand information security issues as well as their own roles and responsibilities are the best defence against your organisation suffering a security breach.

They are capable of assessing situations, reacting to incidents, improving processes and handling problems far more effectively than any electronic device or computer software.

And yet most organisations are willing to spend far more on technical security measures and IT systems than on training and awareness solutions even though such solutions are likely to prove a better investment and may indeed save the business far more in the long run.

Hard Work

After much in the way of blood, sweat and tears (not all literally I hasten to add) we have now launched our new Information & IT Security Solutions on our shiny new website!

Our new range of products, services and solutions are designed around our core philosophies:

1. People implement good security but are also the primary cause of security failures;
2. Simple, effective solutions are usually the best;
3. Good security doesn’t have to cost a fortune;
4. And, good security is about the coordinated use of technology, education and business processes.

The central hub or our new offerings is our Online Security Training system which provides information security awareness and technical IT security training to individuals, companies and other organisations anywhere in the world.

The online security training system also offers the ability to rebrand the service as your own, for internal training purposes, enhanced image or even additional revenue streams.

On top of this we are now offering a “pick ‘n’ mix” selection of security services designed with cost-effective simplicity in mind, but which also address key security issues within most organisations:

For Web :

Website Security Auditing Service – to test you online presence is secure;
Internet Filtering Service – to protect your network and staff from online threats.

For Email:

Email Filtering Service – to safeguard your systems and employees from phishing, spam and viruses;
Secure Email Delivery – to encrypt sensitive email content, even where no prior relationship exists.

For Data:

Secure Online Data Backup – to protect your business critical files and data should the worst happen;
Hard Disk Encryption Service – to prevent unauthorised access to data following loss or theft of equipment.

For Networks:

Automated Vulnerability Detection – to verify and test the security of your systems and infrastructure;
Token-Less 2-Factor Authentication – to allow secure access to systems and data using enhanced security, without the need for hardware tokens;
Self-Service Password Reset – to permit users to reset their own passwords securely while reducing overheads on IT and Helpdesk staff;
DMZ in a Box – to enhance your network security without breaking the bank.

For Staff:

Online Security Training – to educate your workforce in how, why and what to protect;
Security Awareness Posters – to remind your staff of their information security responsibilities;
Security Awareness Leaflets – to reinforce your message and ensure even 3rd party staff understand your commitment to security.

For Business:

Information Security Policy Pack – to formalise your approach to information security;
Business Continuity Planning – to make sure you plan for the worst whilst hoping for the best;
Business & IT Risk Assessment – to help you understand the risks to your business and infrastructure;
Information Security Assessment – to make sure you focus your efforts to maximum effect.

Pricing

We believe that our range of services is amongst the most comprehensive on the market while also being flexible and competitively priced so as to be suitable for any size of organisation.

For more information on any of our services visit our main website or call 0845 071 4690.

Thanks

Finally I would like to thank our vendors and partners who have helped us over the last few months, and without whom we wouldn’t be where we are now:

• Ian and Paul from BlueHoop who helped design and build the website;
• Shaun and Ian from CiRRUS who provided much needed advice and support on the CronLab and iWebgate technologies;
• Andrew, Tim and Charlie at iWebgate for being great sports and making sure we got the system up and running despite our best efforts;
• Chris, John and Tracy at 24/7 Uptime for turning around our hosting request for the online training platform in record time;
• Daniel at CronLab for patience and not giving up on me despite my poor record at returning his calls;
• Zvi and Avi at Beyond Security for helping us get the WSSA/AVDS up and running;
• Lee, Jonathan and Bruce at Risc-Group for their support, assistance and ability to answer what must have seemed like pointless questions;
• Lee and the team at SecurEnvoy for being great sports and ensuring our clients get the most amazing 2-FA solution on the market;

And don’t forget the team here at Secure Thinking, particularly Mark and Ken – without their support we would be nowhere!

Our solutions have been carefully selected from industry leading vendors and include a wide range of complementary products and services which can be implemented and used individually or in parallel to vastly improve your organisation’s information security.

At the core of our offerings is our new Online Security Training system which provides information security awareness and technical IT security training to individuals, companies and other organisations anywhere in the world.

The online security training system also offers the ability to rebrand the service as your own, for internal training purposes, enhanced image or even additional revenue streams.

On top of this we are now also offering security solutions for web, email, data, networks, staff and business as a whole.

For more information visit www.SecureThinking.co.uk or call 0845 071 4690 to speak to a member of the Secure Thinking team!

So there you have it – the criteria we use and therefore recommend you use for choosing an online backup or cloud data storage/sync solution for your business.

I understand their dilemma – if they have their solutions security tested it will add to their costs and increase the price of their product. Or it may affect client beliefs that the products they deliver are already secure.

Then there is the hosting company who provide the hardware and infrastructure which allows websites to be accessed – some of the security issues may lie there, so why would the site developer worry about security?

Indeed, I had a conversation recently with a website development company who didn’t want their product security tested because to do so may imply that they aren’t building things properly in the first place. They went on to point out that if the client discovers a security issue in the application later, they can charge them again for fixing it!

The other problem is one of accountability. In the recent attacks against Sony, Sega and others it is the company or organisation attacked that gets the bad press and the flak, not the company they got in to develop the website or application.

This means the website developers get off scot-free with the probably loss of just that piece of work or client.
So how do we change this? What should companies and organisations do to ensure the work done for them is of a high enough standard?

Well here are a number of suggestions:

1. Ask them about the security measures they build in to your solution. If they’re vague or evasive find another supplier. Have whatever response you get evaluated by an expert.

2. Ask them up-front if they have the site independently security tested or whether they are happy for you to do so once the solution is complete but before you pay for it.

3. Ask them to guarantee the site’s security, or at least provide fixes for free should security vulnerabilities be identified later. Make sure this is in the contract.

4. If they do security test the solution find out if it is truly independent and whether the site will receive any accreditation in the form a security seal or other certificate.

At the end of the day, if you employ a website developer to create your website it’s still your data, reputation and profit that’s at risk if your security isn’t up to scratch. Is that a risk you’re willing to take?

For more information on website security in general and website security auditing contact Secure Thinking on 0845 071 4690 or visit www.securethinking.co.uk