Chapter 2
IN THIS CHAPTER
Forging a realistic plan
Making an investment in security
Tapping into the experts
Each year, businesses suffer millions of dollars in loss due to unexpected events ranging from security breaches to natural disasters. The first step in protecting your business from a costly computer invasion or minimizing the impact from a catastrophe is developing a plan. Your plan doesn’t have to be complicated or expensive. However, you do need to give your business continuity plan (how you respond after disaster strikes) and security strategy (how you prevent issues from occurring) more than a passing thought. In fact, put your plan on paper so that you and your employees have a written plan of action.
As an online business, it makes sense to invest time into protecting you and your customers from hackers and cybercrooks with topnotch online security. Equally important, even if you don’t have a bricks-and-mortar location, is preparing for events that can compromise your network infrastructure, disrupt product deliveries, destroy inventory, and more. Trust us, there is a lot that can go wrong (think blizzards, earthquakes, and fire). The fun of doomsday daydreaming doesn’t stop here, though. After all, what good is a plan if you don’t implement it? You also have to invest in a decent online security system (or two) and maybe even bring in a few professionals to ensure that you’re properly prepared. If these upfront considerations are ones you’ve thought about — but haven’t gotten around to accomplishing — this chapter has your name on it.
Coming up with a plan is easier than you might think. It really comes down to making a few lists and checking them twice. Where do you start? Whether you rework an old plan or build one from scratch, the six major components to an effective business continuity and security plan are
In the following sections, we guide you through the details to include in each of these components for your plan.
If you’re part of a larger online business, you might already have a book of policies and procedures carefully spelled out, tightly bound, and neatly filed away in every employee’s desk. The reality for a smaller online company, though, is that you probably haven’t had time to think about formal procedures. If you’re working solo, you might still be skeptical about needing to write these types of policies.
Honestly, the amount of information that has been published about how to write a security policy could fill a small room. No wonder the task of writing one has become cumbersome. However, in a smaller company, you can concentrate on the basics.
Here’s a baseline rule for establishing your security policies: The magnitude of how much policy you need should fit the breadth of your organization and the depth of the risk factor you want to protect.
In other words, IBM might require several hundred policies whereas you might need only five policies. At the end of the day, if either you or IBM suffers a substantial security breach because a policy wasn’t effectively in place, you’re both in the same boat. And we don’t mean in a good way.
With that in mind, follow these steps to create your own policies (however many you might need):
Write your overall goals or objectives for your security policy.
Break down the big-picture goal of protecting your online business into a few smaller chunks of information or goals. Maybe you’re more concerned with outside threats or establishing guidelines for employees. Or you might be most interested in protecting yourself legally and need written policies in place to set precedents.
Create a list of areas in your organization that require protection.
After each item, make a notation of which ones are better served by the implementation of a formal policy. Use the checklist in Table 2-1 as a guide to the areas that are open to possible security risks.
Determine the scope (number of policies) that is legitimately warranted for the size and need of your organization.
In reviewing your list of goals in Step 2, you might find that it makes sense to combine several components into a single policy. Conversely, other areas might produce larger or more frequent risks and require a stand-alone policy.
Starting with your first policy, write its purpose and provide an overview of its importance to the organization.
For instance, you might create a policy about who can access your primary e-mail account. Your goal might be to restrict usage to only designated personnel — and doing so is important so that confidential communications aren’t compromised.
Detail the scope of your policy.
Specify which employees or level of employees the policy applies to. Also indicate which locations, systems, and data are affected by the policy. Refer to your list in Step 2 to make sure that you include all areas that might be affected.
Write the operational guidelines of the policy.
The guidelines are the cold, hard facts. Be specific about which actions and behaviors can and cannot happen under the policy.
After the guidelines are in place, write a paragraph about how the policy should be implemented.
In this part of the policy, provide information such as how employees are to be notified of the policy as well as specific penalties for not enforcing the rules.
Document the date when the policy was created.
Every time you update the policy, add the next revision date. Leave the earlier version dates so that you have a running history of the document.
(Optional) Add details to the policy.
You might include a glossary of terms or cross-reference additional procedures and policies that might also intertwine with this one.
TABLE 2-1 Security Coverage Checklist
Security Risk |
Currently Secured |
Requires Formal Policy |
Desktop computers |
Yes No |
Yes No |
Laptop computers |
Yes No |
Yes No |
Employee devices |
Yes No |
Yes No |
Mobile devices |
Yes No |
Yes No |
Yes No |
Yes No |
|
Bank or financial information |
Yes No |
Yes No |
Server |
Yes No |
Yes No |
Wireless network |
Yes No |
Yes No |
Firewall |
Yes No |
Yes No |
Cable modem/Internet connection |
Yes No |
Yes No |
Software |
Yes No |
Yes No |
Customer data and credit card numbers |
Yes No |
Yes No |
Social media accounts |
Yes No |
Yes No |
Passwords |
Yes No |
Yes No |
Database |
Yes No |
Yes No |
Cloud-based applications and services |
Yes No |
Yes No |
Inventory |
Yes No |
Yes No |
Products |
Yes No |
Yes No |
Back-end system |
Yes No |
Yes No |
Offices or other facilities |
Yes No |
Yes No |
Other physical properties or facilities |
Yes No |
Yes No |
Files or other miscellaneous |
Yes No |
Yes No |
Intellectual property |
Yes No |
Yes No |
After you finish writing all your security policies, you’re ready to place them in the front section of your written business continuity and security plan.
One helpful component for your overall plan is to create a catalog, or inventory, of your equipment and the information that you’re protecting. Table 2-2 serves as an inventory assessment guide, and we tell you in this section how to fill it in.
TABLE 2-2 Equipment Inventory Assessment Guide
|
Description or MAC Address of Computer |
Registration |
Username |
Travels Off-Site? Y or N |
Security Risk: High or Low |
Other Information |
Hardware |
||||||
Software |
||||||
Peripheral components |
||||||
Servers |
||||||
Cloud-based applications |
||||||
Documents |
When you’re filling in the guide, your final inventory list should capture the following information:
Peripheral components: This list might include data drives; printers; scanners; tablets, iPhone, Android, and other smartphones and mobile devices; handheld devices; portable memory storage devices; extra monitors or keyboards; networking equipment; and even plain old cellphones.
Employees frequently want to use their own smartphones and mobile devices for both personal and business use, which is referred to as the bring your own device (BYOD) trend. You should include BYOD policies and procedures as part of your overall risk analysis and planning.
Break out your inventory by each individual piece of equipment or software program. That way, you can compile serial numbers and registration numbers or other unique identifying factors for each piece. This is an important part of business continuity planning and may be required by insurance companies when filing claims for damage or loss.
Cloud-based applications: Make an inventory of any cloud- or web-enabled programs and services that your business uses, whether for delivering customer surveys, printing online postage, managing customer relationships, or providing business phone service. Detail which computers maintain licenses for each application or have access to web-based solutions.
When creating an inventory of applications delivered over the Internet, don’t overlook instant-messaging programs and music or video-related applications. You might not use them, but your employees probably have them installed. Increasingly, these programs are becoming an easy delivery method for viruses, worms, and other malicious activity. You want these programs accounted for in your inventory so that proper security measures can be applied.
After you complete this equipment assessment, turn your attention to a skills inventory. (You can add it to the bottom of your inventory assessment.) Compose a paragraph or a complete list of the security expertise that you and your employees have. You can include certifications or other applicable training, too. By conducting a skills assessment, you can see when you need to call in outside security consultants — or how much of that expertise you might need.
One of the most important pieces of your plan is the risk analysis portion, in which you identify possible threats, determine your greatest vulnerabilities, and calculate the potential impact should your business not be able to function for a period of time. This important exercise forces you to evaluate the factors that hold the most potential for harming your online business. Your first action is to make a list of all potential threats that can compromise your security and your ability to operate. Classify these security occurrences, or disruptive events, under the following categories:
Disasters: Address floods, tornadoes, hurricanes, and fire as possible external risks. As part of business continuity planning, you should also consider the risks if one of these events happens not only to your business location, but to that of a key vendor. If your primary vendor is hit with disaster, is it still able to provide you with products or services? If not, do you have a backup vendor?
A critical part of business continuity planning is to consider any and all potential threats to your business, both onsite and offsite. Vendors, delivery services, and online service providers are all critical parts of your chain of operations that could disrupt your online business should their businesses experience a disaster. You cannot prevent these events from occurring, but you can control how you respond to them by having a plan B in place and ready to go in order to minimize the damage.
After you put on your doomsday hat and identify all possible threats that can take you down, go one step further and prioritize each one according to its level of risk. You can do this by using a hierarchical ranking system. Or you might prefer to assign a low, medium, or high risk value for each of your items.
If you find that a risk analysis shows your business to be at a medium- to high-level risk for attacks, accidents, or failures, consider inviting a paid technology or business consultant to evaluate your business and offer solutions. The costs of improving your security and beefing up your disaster-recovery plans will be paid back in the long run by reducing the odds of your losing data, damaging your reputation, putting customer information at risk, and shutting down your ability to operate.
Unless you’re in the planning phases for a new business, you probably already implemented some level of security. Here’s the appropriate place in the plan to specify which actions to take.
You want to describe firewalls, antivirus software, and other basic security measures that provide some level of protection. However, you can add any routine security-related systems or functions you conduct. For example, you should plan to
To some degree, you can consider the action plan the meat of your document. After all the assessments, inventories, and analysis, you’re ready for a true plan of action.
The first part of an action plan is creating a communications tree. No, we’re not talking about a tree with leaves, but rather a phone tree! It’s a diagram that has branches (or lists) of critical people to call or communicate with in case of disaster or other critical business disruption. A communications tree should start with you, as the business owner, and may include a list of the most important employees, public relations contact (if it requires external or public notice), vendor contacts, legal contacts, insurance agent … the list can be as extensive or brief as required. The important part of communications is just that — you need to be able to quickly communicate important information to the people in your organization and make sure the appropriate information is also communicated to customers. Be sure you have back-up phone numbers, e-mail, and emergency contact information for your employees.
Once your communications tree is in place, you can turn your attention to the rest of your action plan. Based on the information you collected (see the earlier sections of this chapter), you can readily spot your strengths and weaknesses in the realm of security and business continuity. And now you can focus on what we like to refer to as your points for improvement (PfI), or the specific areas where you find weaknesses that should be corrected.
By concentrating on your PfI, you can create a step-by-step plan of action to beef up your security and business operations. In each step, be specific. Here are examples of some of the steps that you might include in your own plan of action:
Your plan of action might include a couple dozen steps or only a few. You have a thorough action plan when all your PfI are accounted for and the security holes are plugged.
The final component of your security and business continuity plan addresses the resources (and budget) that are required to put your plan into action. Make a list that identifies all the purchases you need to make to fulfill your plan, especially the security component of your plan. Include a price estimate for each item. If your total is hefty, prioritize which ones fall under the must-have category as well as which ones can wait.
In addition to the resources that require cash, you should include all other resources used in your plan. For instance, budget the time for yourself or employees to attend an Internet security class. Even if a vendor offers this type of training session for free, attendance still requires a small investment in human resources capital.
The last piece of this section should include a timeline for change. Assign both a reasonable date for completion and a person who’s responsible for each action item. Schedule a recurring date for reviewing the progress of your plan’s implementation, too.
Developing a written security document is an investment in itself. If nothing else, it bears the cost of your time. But as the resources and follow-up section of your security and business continuity plan indicates, that step is only the beginning when it comes to paying the price for peace of mind and preparedness. You probably already put down a fair chunk of change but haven’t tallied your investment. The typical places in which you probably already spent money include business insurance for your computer, office equipment and other material structures, antivirus software, a good firewall for your network, and other backup and redundancy services.
Determining how much more you need to spend depends on your circumstances. As an online business, the bulk of your budget is likely to go toward security. The ongoing threat of cyber-related crime, in addition to the number and magnitude of actual incidents, has kept businesses spending an expanding portion of their IT budgets on security. Research from Canalys (www.canalys.com
) indicates that security spending continues to grow by nearly 10 percent, year over year. With security spending exceeding $75 billion (globally) in 2015, it is expected to hit an all-time high of $101.3 billion (globally) by 2018, according to Gartner (www.gartner.com
).
To come up with a reasonable and effective budget for your business, take another look at your resources list from your security plan and determine the total value of the resources you’re protecting.
Figure out how much a security breach can cost if you don’t make that investment. Roughly calculate the value of your equipment: all your hardware, software — everything. Then assign a value to the intellectual property you need to protect. It’s probably a whopping number. For e-commerce sites, another financial factor is identity theft. You have to consider the potential dollar value of your loss if a hacker gains access to your customer information. Lawsuits and insurance aside, consider it from another perspective: If your site has a major compromise of customer data, those customers must be notified. That situation can be a public relations nightmare — and can result in the loss of future orders.
No one can tell you how much you need to spend, or should be willing to spend, on security. When deciding how much to invest for security, ask yourself these two questions:
After you commit to your security budget, you can find plenty of outside resources that are happy to assist you in spending it. And you have lots of do-it-yourself opportunities, too. You have to decide when — and whether — an outside source is warranted for both security resources and business continuity consultants. Then you should determine which resource is the best one for you to use.
When searching for help with security issues and business continuity planning, you have many choices. More than likely, they fall into one of these categories:
Experts: Experts can be individuals who work in a technical-support environment or who have full-time jobs in a related subject area (and advise informally or on a part-time basis). You can find experts in your vendor relationships or in community service programs for businesses (such as Service Corps of Retired Executives, or SCORE). The cost of an expert’s time varies widely but usually is on the lower end of a consultant’s fee. You might even find volunteers.
When paying for an expert or hiring a consultant, check out the person’s certifications and ask for references. You should ask even if you’re getting help for free (although it’s more difficult to be selective if you aren’t paying someone).
Training programs: Call them seminars, training programs, or webinars, these resources provide information from a classroom perspective. Rather than provide individual support, these types of programs are targeted for a large group of people. Cost for this type of instruction varies. A one-day seminar might cost $300 or $400; a webcast or an online class might be free.
When attending a vendor-sponsored training program or seminar, the solutions that are offered tend to focus on that particular vendor’s products. If you want unbiased guidance, make sure that someone other than a vendor or distributor teaches the session.
You have to decide which solution is right for you, and knowing when to go somewhere else is usually pretty clear. It’s determined by these four key factors:
13.58.247.31