Finding The Hidden InfoSec Story

Desert Island Security Controls

Photo Credit: TheRealPhoto via Compfight cc
Photo Credit: TheRealPhoto via Compfight cc

It is a long-standing British principle that when you are washed up on a desert island, you can only take 8 whatevers with you. I am indebted to Barclaycard’s Neira Jones for drawing my attention to a Forbes article which cites 5 ‘must have’ security activities for SMEs. Well we’re British and if 8 in a boat-race team is a good number then 8 is good team of controls to work together to secure a business. It’s also within the Miller limit so it’s psychologically sound too.

1.  Strong passwords, regularly changed but with personal ways to remember them. And with someone who knows the top level to get to the data when an employee leaves or is sick…not by password sharing!

2.  Use an up-to-date handful of security software such as firewalls and antivirus. Yes it’s technical. Ask the kids if you’re stuck. Make sure that it gets updated automatically – you will forget. (I’m including updates for your operating system – Windows, Linux, Android, MacOS et al. – in this updating.)

3.  Educate all your staff, colleagues, partners, and co-workers in the risk associated with the ever increasing computing power you have on your desktop/laptop/tablet/’phone/Xbox/toy-of-the season. With great power comes great responsibility. A demotic approach to governance that means you don’t have to look over everyone’s shoulders all of the time. Remind them of the value of the data – include the spoken word – and Gerry’s second principle: ‘you can’t undisclose a disclosure’. That goes for all the bravado and Narcissism of social networking too!

4.  Segregate your activities onto different machines where you can afford to. The higher the risk in the activity, the more attention to possible breaches of security you need to plan for. ‘Bring your own device’ is all well and good but do you really want your book-keeper doing the banking on the tablet shared with the kids. Which brings me to…

5.  Don’t lend kit to the family. Remember Gerry’s first principle: ‘trust is not a control’. Get over the Scrooge moniker. Perhaps remind them that they’d probably like to eat tomorrow.

6.  Back up as frequently as you can stand versus the amount of rework you can stand or afford to do. And remember Gorner’s Law: ‘data does not exist until it is in three places’. Make one of them off-site and well away from the working version of the data. See rule 8 below.

7.  It should be rule number 1 but if it was you’d never get to the other rules…know what software and data you need to run your business. Create an inventory. What will you need when your desktop/laptop/tablet/’phone/Xbox/toy-of-the season is stolen, lost, or doesn’t switch on in the morning.

8.  Information technology means getting technical. Learn what encryption means and do it. And do it to the backups too. Which takes me back to rule number 1 which includes remembering passwords…


Author: Daniel Dresner

Share This Post On