• United States




Information security — don’t let the apparent complexity intimidate you

Dec 24, 20156 mins
Network SecuritySecurity

I launched a new security-related service a few weeks ago. I spent many hours working on the website, including the service description, and what I thought was a good explanation about why people needed it. I then sent the Web link to my trusted inner circle. To my surprise, the nearly universal response from those I sent it to, including some very bright folks, was that they did not understand what it was. This was a humbling experience, and cause for reflection.

Those of us who spend most of our time immersed in the intricacies of information security are quite comfortable with the free use of terms like threat intelligence, defense-in-depth and forensics, much the same as two doctors would use specialized language when talking to each other (can you say heminephrectomy?).

With studies continuing to show poor adoption of basic information security practices by the small and medium business world, it occurs to me that those of us who call ourselves information security advisors may be doing these organizations a disservice, by making security sound so complex that they don’t even bother trying to achieve the basics. That is sad, given that basic practices are neither hard to understand, nor hard to implement.

For larger organizations, the effect may be just the opposite  These organizations, with more money than time, make large investments in expensive products with fancy names, assume those products have them covered, ignore the fundamentals, and suffer the almost inevitable breach.

Thus, here i’ll demystify some of the basic information security elements for the smaller organization, and remind the bigger ones of the aspects they cannot ignore, despite their large investment in tools.

The perimeter

Think of your security perimeter like you would the fence around your yard, the idea being to keep the bad guys out. Almost since the inception of modern information security, the firewall has been the fence of the security perimeter. The perimeter and the firewall have been a topic of much debate in the last couple of years, with many industry experts claiming that the perimeter no longer matters. With smartphones, VPN connections, etc, opening holes in what used to have a single point of entry, some feel it is a wasted effort.

In my opinion, and after much experience in the trenches of business information security, you need a good firewall, period. You need a strong product, and it needs to be configured properly (and not just taken out of the box and plugged in). True, a firewall is not perfect, and not as good protection as it was at one time, but it remains your first line of defense.

Insiders and identity management

Now that you have a basic perimeter defense, it is time to turn your attention to those folks intentionally inside your firewall — your employees and contractors. They can do more damage than anyone from the outside. In fact, in a recent interview with SC Magazine, Rashmi Knowles, RSA’s chief security architect, said that “people are the new perimeter.”  While I stand by my earlier comments about the perimeter and firewalls, there is no question about the importance of your own people in keeping the bad guys out, or as is more often the case, unwittingly letting the bad guys in.

You should start by making sure you don’t hire the bad guys in the first place. Background checks on employees, particularly those in IT and other critical areas, are key to this. A bad actor on the inside could quickly wreak havoc on your operation.

Since so many security breaches related to insiders result from their errors, your starting point with your team is awareness training. They need to understand what they must do to keep the organization safe, and what they must not do that would jeopardize it. In their most recent “Information Security Breach Survey” in the UK, PwC reported that when asked about their single worst breach, half of respondents indicated that they were caused by insider errors. There are many resources available on the Internet to help with this training, from video-based products, to free outlines. Train your employees, and keep training them.

Finally, in order to make sure you employees do not accidentally or intentionally cause you security issues, you need to control what they are able to see and do. Even if you trust them, make sure their privileges are only those required for them to do their jobs. Excessive privilege can lead to catastrophic errors, or support criminal acts.

Know and manage your risks

When I go to Home Depot without a list, I often end up forgetting some of the things I need, resulting in additional unplanned visits. This is somewhat analogous to your information assets — you cannot protect your assets unless you know what they are, and the value of each.

The risk assessment is quickly becoming the basic currency of regulatory compliance. Every major body of regulations requires a formal risk assessment. Even if you are not regulated, you probably are or will be providing services to a company that is, and given third-party requirements, you will need to face this sooner or later.

A risk assessment simply involves listing your assets, valuing them, and enumerating the risks to them. Focus on the most valuable, and work down the list from there, building a protection strategy. Your risk assessment process does not need to be extremely formal, but some structure is important. In my recent article, “The dreaded risk assessment,” I offered a simplified framework for conducting a risk assessment that will stand up to scrutiny.

The bottom line — the above is not an exhaustive list of things you need to pay attention to in order to keep your network and data safe, but if you properly address all three areas, your chance of making the news tomorrow as another security breach statistic is greatly reduced. So, don’t be intimidated by the terminology and complexity. Rather, dive in fearlessly, and take responsibility for protecting your assets.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author