The thing about these “12 Secrets” is that they are all indispensable. Sure, any one of them left out will not bring on Armageddon, but it is not a good idea and any more than that and something bad is sure to happen. Having a written Corporate Security Policy and training employees is as important as anti virus software.

The 12 Secrets of SMB Security

Secret #11: Establish and Follow a Security Financial Risk Management Plan; Maintain Adequate Insurance Coverage

Cost: Moderate – a risk management methodology is free

Technology skill level: Low to Moderate

Participants: Representatives of all levels of the organization and technical support.

In order to be effective, security must be available throughout the organization. Having tight security controls but practically non existent organizational security policies, makes no sense and undermines the very nature of the security tools. The best way to ensure that you have good cyber security measures is by having people from various levels develop a plan keeping the technological needs of the business in mind. While planning the following areas must be considered:

1. Security awareness and training for all technology users

2. Organizational security policies and regulations

3. Collaborative security management (partners, third-parties and contractors)

4. Contingency planning and disaster recovery

5. Physical security

6. Network and data security

In the rush of daily activities it is easy to overlook the need for such things as employee security training, contingency planning, and disaster recovery. You may not even be aware of the level of dependency your organization has developed on technology and the potential impact that a failure of one or more components will cause. By developing a security risk management plan, these dependencies will be highlighted and steps to lessen their disastrous effects can be identified. This will help to reduce the potential impact of technology compromise or failure.

Assume that you do not have a security risk management plan. Without a plan, you will have to react to technology compromise or failure as and when it happens. Your options for response will be limited by what you can find when the problem occurs. Also, you will not be in a good position for negotiating the cost of technical assistance or the level of expertise provided. The problem and the loss arising thereof may continue to remain longer than necessary as you attempt to figure out what to do before acting to correct the problem.

To save yourself from such a situation review your disaster recovery and contingency plans. Identify the impact to your business should you experience an extended power failure, flood, or major storm.

Additional Steps

Apply a security risk management methodology design for small business, such as OCTAVE®-S, to identify important technology assets, threats to these assets, and to develop a security plan for your organization. As part of the methodology you will compare your existing security practices with established best practices to identify areas where your organization is vulnerable and seek mechanisms and solutions for addressing the gaps in your existing security practices.

Get technical assistance to perform a vulnerability assessment on your technology environment to assist you in identifying vulnerabilities that pose a major risk to your important technology assets and identify mechanisms for reducing their possible impact.

Here is an example of how security measures could have saved this manufacturer from ruin.

On-Line Retailer Misunderstands Insurance Coverage, Gets Wiped Out by Attack

Thanks to a series of computer attacks, an on-line retailer once valued at over $1 million is ruined. The worst damage was done when the attacker spammed his clients contending the firm was a front for pedophiles (his wife operated a day care center). Direct losses, denial of service, replacing data, customer attrition and PR costs crippled him. Since this was an inside job no reasonable technical measures would have protected him, but appropriate risk management including insurance might have. Unfortunately, the president of the company had misunderstood that his cyber-risk exposures were not covered by his standard property and casualty policy. Standard insurance policies do not cover cyber-risks.* “My business is gone. My wife’s business is gone, now I just hope we can hang on to our house,” said the disheartened former owner.

Cyber insurance, which is now available, might have saved this company. Of course, taking out a separate cyber policy would have added to his operating expenses, but it might have allowed his company to survive the financial consequences of the cyber attack. Some organizations have arrangements in place wherein substantial premium credits on the cyber-insurance premium can be provided to its members who comply with best practices such as those outlined in this guide.

Thanks so much for taking the time to read Part 13 of 15 in the “The 12 Secrets of SMB Security” series. Please feel free to contact CopiaTECH with any questions about anything you read or your small or medium-sized business and cyber security.

Please continue on to Part 14 in the series, “How Geeks are like Boats & Planes”.