The struggle to build a business often requires companies to make sacrifices. Do you stick with Windows NT 4 or should you upgrade to Windows XP? Do you have an in-house desktop support team or do you outsource?

With small to medium enterprises (SMEs), one of those sacrifices tends to be proper security and disaster preparation, a potentially disastrous omission, said Todd Tucker, Director of Security Architecture and Strategy at PentaSafe Security Technologies.

For consultants, SMEs in need of disaster and recovery plans and security policies can be a gold mine.

According to Tucker, small organizations are generally endangering themselves because of:

  1. A relaxed culture and a lack of formal security policies.
  2. A small IT staff with no security training.
  3. Scarce investments in security technologies.
  4. A lack of either business continuity or disaster plans.

Tucker suggested four ways consultants could help SMEs reduce the risk of lost time, money, or trade secrets due to lapses in security and planning:

  1. Assign security tasks.
  2. Invest in more than bare-bones security technologies.
  3. Prepare for disaster.
  4. Implement a formal security policy and test it.

This article addresses Tucker’s advice on how consultants can help SMEs prepare for disaster and implement a formal security policy.

Second of two parts

This two-part series discusses the special security challenges of small to medium-size enterprises (SMEs). To get the rest of Tucker’s advice, read last week’s installment, “Consultants can offer remedies to lax SME security.”

Prepare for disaster
Whether you can offer full-scale disaster and business continuity planning or technical documentation, many opportunities exist for consultants to prepare SMEs for unexpected events.

“Disasters have caused many businesses to fail,” Tucker said. “SMEs are often more susceptible to failure because they are less able to spread the risk—or impact—from a disaster.”

He suggests that SMEs begin by performing a business impact assessment, or an analysis of the business cost of a disaster. It should be done on a technology-by-technology basis and include not only computers and telecommunications equipment, but also nontechnology aspects, such as critical documents and workspaces, Tucker said.

“Management should determine what would be the impact in terms of lost revenues, increased expenses, damage to reputation, violation of contracts or laws, [or anything] that would result from a disaster,” he said.

Tucker cites a large company that lost a data center in the World Trade Center attacks on Sept. 11 but was up and running the next day.

“The reason they could do that is they had many data centers,” he said. “They were able to recover quickly, whereas a small company could lose just a computer room to a flood, electrical outage, or many things.”

Once the business has assessed the damage that a catastrophic event could cause, it should plan accordingly.

“Generally, the greater the cost of downtime, the greater the need for immediate recovery mechanisms,” he said.

For immediate disaster recovery, SMEs might consider a hot site, or a mirrored configuration of the critical applications necessary for business continuity. With technology for which the cost of downtime would be minimal, the business could choose an alternate site that might take more time to get up and running. Other options might be site relocation, reconstruction of facilities, or business interruption insurance, he said.

“The key is not to spend too much: Match your recovery procedures (and their cost) with the potential cost of downtime,” Tucker advised.

To help determine the proper dollar figure, Tucker said he plots the cost of recovery against the cost of downtime—the quicker the recovery, the higher the cost of recovery; the shorter the downtime, the lower the cost of downtime.

“In this manner, it’s easy to see how much you should spend,” he said.

As with security policies, it’s important that disaster recovery and business continuity plans be kept up to date, and all personnel need to be familiar with them, so Tucker recommends implementing a process or mechanism for updating plans and maintaining awareness. To stay current, Tucker suggests the Disaster Recovery Journal, a publication dedicated to the field of disaster recovery and business continuity.

SMEs also have to be prepared for a tragedy like the loss of an employee. With a small infrastructure, smaller companies are less “risk diversified.”

“Many small businesses have all their eggs in a small basket,” he said. “Maybe that ‘basket’ is a single employee that happens to know everything there is to know about some facet of their operation.”

As a result, many companies have large amounts of information that’s neither documented nor cross-trained.

“That information is stuck in somebody’s head. If they lose that person to another company or an accident they lose all that knowledge that they were dependent on,” he said.

Implement and test a formal security policy
Some attacks on information begin with the people inside an organization. Tucker said the crimes of the infamous hacker Kevin Mitnick serve as a good example of these “social engineering” assaults. While Mitnick was renowned for his ability to hack into systems, he would readily admit that he rarely had to rely on a technical attack at first because he was always able to get information out of people.

“One of the stories is that he actually got into the FBI network by calling and posing as somebody internal to the FBI and getting an unlisted modem number,” Tucker said. “Using that number, he dialed back in.”

Tucker called the incident a “classic example” violating standard operation security principles. Everyone within an organization, from the CEO to the operator, should know what information is potentially sensitive and authenticate that the person they’re speaking with has the right to that information.

To protect companies from this sort of assault, consultants should help companies build a human firewall by developing and implementing a formal security policy.

While many sources for security policies and templates are available, Tucker recommends the combination book and CD-ROM, Information Security Policies Made Easy by Charles Cresson Wood. This policy construction kit provides a comprehensive collection of policies and advice on how to get management support, write policies, and mock up initial policy statements. The sample policies cover the Internet, firewalls, electronic commerce, passwords, access control, viruses, user privileges, and intellectual property rights. Tucker cautions that while the kit offers a great starting point, the real work lies in getting approval and support from your clients.

“The challenge is in taking those policies and getting them through certain levels of approval, making sure that everybody is comfortable with them and that they are truly implementable,” he said.

Develop security policies based on employee roles
The policy should be filtered to employees based on their duties or roles within the organization, “so an accounting clerk is not reading technical security policies for Windows platforms; they’re only reading what they need to know.” Tucker said.

He recommends the policy be rolled out in an electronic format to save money and time, and so that you can deliver timely information to all employees regardless of their location. Additionally, you can then use the same electronic delivery method to quiz employees.

“Focus first on the basic security principles, like what is a good password vs. a weak password, or to whom should you disclose your password,” Tucker said. “If you focus on the basics and test those, you’ll quickly identify where you need to focus your efforts.”

PentaSafe offers a free Information Security Awareness Index survey that provides security officers with a benchmark on how well their companies are using industry “best practices,” and allows them to test their employees’ actual security knowledge and awareness level by e-mailing an individual survey to any number of employees. The responses are compiled to produce a Security Awareness Index score that can be compared to others in the same industry.

Testing your security policy

How do you test a security policy you’ve helped a client implement? Do you do dry runs with mock disasters? Hire a hacker to try and compromise the network? Call employees trying to obtain sensitive information? Send us e-mail about your process or start a discussion below.