OrganizationIt is quite common for SMBs to lack organization with respect to their information systems, particularly if they have experienced steady and/or rapid growth over some period of time. In the early days, organization seems superfluous. At some point, it becomes clear that organization is needed, but the job isn't assigned to anyone. Often, there simply isn't anyone with the time, energy or expertise to take on the job. Occasionally, a willing volunteer takes on the task, but when that person leaves, the baton is not passed. All too often, the impact of organizational problems becomes clear only in a moment of crisis. Typically, a lack of organization means there is no infosec program, no one person or group in charge of information systems, no documentation on system configurations and accounts, etc. The organization isn’t following basic security practices because policies aren't clear and actions aren't repeatable. In turn, a lack of organization generally affects another basic that is often overlooked: documentation.
DocumentationI always tell my clients: “You can't secure it if you don't know it's there.” This is why an inventory of hardware and an inventory of software are the first two of the Center for Internet Security's 20 Controls. Yet few SMBs take even these first two steps to securing their information systems. Without good documentation, it is difficult (if not impossible) to secure information systems. Good documentation for information security includes:
- Asset lists
- Network diagrams
- Device configuration information
- Maintenance/support agreements
- Account/access lists
- Organizational chart with roles & responsibilities identified
- Network security & acceptable use policies
- Incident response plan
- Disaster recovery plan
- Business continuity plan
ControlWith inadequate organization and lack of good documentation, you don't actually have control over your information systems. Without control, you cannot assure even a basic level of security. In addition to organization and documentation, achieving control requires two more things: policies and training.
In the absence of written policies and an employee training program on acceptable computer use, you have no control over how employees are using your company assets. Legal liability and labor law issues can become even more complex in the absence of written policies and a training program.When employers don't have good written policies and employees don't receive effective training (why these policies are important and how to develop good security habits), the result is often violations of standard security best practices, such as:
- Out-of-date software with known vulnerabilities
- Potentially compromised software
- Personal accounts in use on company computers
- Personal assistants, location services and analytics/tracking that are active on many devices
- Shadow IT/clandestine purchases attached to the network
- Cloud document storage outside company control
Security products are, of course, an important part of your information security plan, but they should not represent the entirety of your plan.
You Can’t Replace the BasicsToo many SMBs think that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge infosec budgets would never have data breaches. Ask yourself this: “If it seems too good to be true...” Good infosec requires going back to the basics! Regardless of the size of your business, your information security program should be founded on effective organization through documentation and control, including well-written policies and effective employee training.
About the Author