cal and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data

August, 2006

Data and information security has become one of the most pertinent issues facing today’s businesses and yet it is often overlooked. Did you know that according to a Deloitte Touche Survey more than 50% of companies admitted to having a data loss between June 2005 and June 2006? Roughly 33% of them directly resulted in financial loss. A survey by Zoomerang showed that 34% of companies do not have a security policy 0that forbids downloading non-business applications on company-owned computers. In 2005 55% of all online users reported being infected by spyware according to a Bigfoot Interactive survey.

For small businesses, every dollar spent on IT must have a demonstrated business value. For security products that can be a difficult task. Unless you have experienced an attack on your web server, a SQL injection attack on your e-commerce site, or have had a virus outbreak on your network most managers and decision makers balk at the idea of spending significant money on a suite of network security products.

Just as it is difficult for a home owner that moves to Florida to see why it might be worthwhile to spend $5-10k on hurricane shutters, it is hard for managers to understand putting a significant portion of their IT budget into security products. However, when that same homeowner has lived through a couple of hurricane seasons or starts talking to their neighbors about what the 2005 season was like it doesn’t take them long before not only are they willing to spend the money, but they can’t wait to do it. The shortcoming of this analogy is that the potential loss for a business can be worse than for a homeowner and all too frequently there isn’t insurance to cover lost revenue. To make it worse you could even be held liable for not taking appropriate actions to secure your customers private information.

Some pertinent questions for a manager or business owner to get them thinking in right direction would be: What would happen if our servers were stolen? What would happen to the company if a fire burned down the office and every piece of technology was lost? What would be the consequences if our competitors were able to gain access to trade secrets? What would be the legal ramifications? What would we loose in employee productivity while this data is restored ($)? Could it be restored? How much down-time on our network can we survive? How would this affect the public image of our company?

The answers to these questions are often not easy to come to grips with. Too often managers ignore them and do not give them the attention they deserve. In effect, they are playing the odds that this will not happen to them and they do not prepare for what is a very real and impending threat. Data and information security is not something they understand or have experience with so they ignore it and treat it like it not a real danger. So regardless of the reasons why, their critical and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data

ity products that can be a difficult task. Unless you have experienced an attack on your web server, a SQL injection attack on your e-commerce site, or have had a virus outbreak on your network most managers and decision makers balk at the idea of spending significant money on a suite of network security products.

Just as it is difficult for a home owner that moves to Florida to see why it might be worthwhile to spend $5-10k on hurricane shutters, it is hard for managers to understand putting a significant portion of their IT budget into security products. However, when that same homeowner has lived through a couple of hurricane seasons or starts talking to their neighbors about what the 2005 season was like it doesn’t take them long before not only are they willing to spend the money, but they can’t wait to do it. The shortcoming of this analogy is that the potential loss for a business can be worse than for a homeowner and all too frequently there isn’t insurance to cover lost revenue. To make it worse you could even be held liable for not taking appropriate actions to secure your customers private information.

Some pertinent questions for a manager or business owner to get them thinking in right direction would be: What would happen if our servers were stolen? What would happen to the company if a fire burned down the office and every piece of technology was lost? What would be the consequences if our competitors were able to gain access to trade secrets? What would be the legal ramifications? What would we loose in employee productivity while this data is restored ($)? Could it be restored? How much down-time on our network can we survive? How would this affect the public image of our company?

The answers to these questions are often not easy to come to grips with. Too often managers ignore them and do not give them the attention they deserve. In effect, they are playing the odds that this will not happen to them and they do not prepare for what is a very real and impending threat. Data and information security is not something they understand or have experience with so they ignore it and treat it like it not a real danger. So regardless of the reasons why, their critical and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data

m long before not only are they willing to spend the money, but they can’t wait to do it. The shortcoming of this analogy is that the potential loss for a business can be worse than for a homeowner and all too frequently there isn’t insurance to cover lost revenue. To make it worse you could even be held liable for not taking appropriate actions to secure your customers private information.

Some pertinent questions for a manager or business owner to get them thinking in right direction would be: What would happen if our servers were stolen? What would happen to the company if a fire burned down the office and every piece of technology was lost? What would be the consequences if our competitors were able to gain access to trade secrets? What would be the legal ramifications? What would we loose in employee productivity while this data is restored ($)? Could it be restored? How much down-time on our network can we survive? How would this affect the public image of our company?

The answers to these questions are often not easy to come to grips with. Too often managers ignore them and do not give them the attention they deserve. In effect, they are playing the odds that this will not happen to them and they do not prepare for what is a very real and impending threat. Data and information security is not something they understand or have experience with so they ignore it and treat it like it not a real danger. So regardless of the reasons why, their critical and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data

secrets? What would be the legal ramifications? What would we loose in employee productivity while this data is restored ($)? Could it be restored? How much down-time on our network can we survive? How would this affect the public image of our company?

The answers to these questions are often not easy to come to grips with. Too often managers ignore them and do not give them the attention they deserve. In effect, they are playing the odds that this will not happen to them and they do not prepare for what is a very real and impending threat. Data and information security is not something they understand or have experience with so they ignore it and treat it like it not a real danger. So regardless of the reasons why, their critical and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data

cal and confidential business data remains insecure and they have no systems in place to audit or monitor activity on their network devices or prevent a potential attach from happening.

It is also very important to remember that a high percentage of attacks are from the inside, not the outside of your network. Disgruntled employees can pose a very high security risk. Also, your company does not necessarily have to be a “target". Many attacks are generated by random scripts that search for any open target. The question is will you be ready for it when that attempt is made or will an attacker be all too ready to take advantage of your unprotected network?

So what is the right perspective or approach? To use an analogy, data security should be viewed like business insurance. The right perspective is that the possibility of an attack or attempted access to unauthorized data as not only likely but just a matter of time. Like insurance, an evaluation should be performed regularly to make sure the right kind of “coverage" is in place. It should have a place in management meetings and be reviewed with the principals of the business and not just left to “the IT guys". The executive management needs to play a big role in deciding what information is the most private so that it can properly protected.

So what is a business owner to do? Take the time for a comprehensive approach to the security of your information. Put a business security policy in place and stick to it. This may include consulting with one or more security experts that specialize in this type of work. Perhaps it is something as simple as making sure your internal IT staff has already taken the necessary precautions, but then to start working with them from the management level. Part of your policy should be a scheduled testing and improvement to the security measures already in place. Data and network security is not a static solution that you can implement once and leave alone. It is something that needs to be monitored, tested, and improved on a regular basis.

The good news is that a secure environment for your data can be achieved. It may not come easily and there will be a price attached to it, but the cost attached to remaining unsecured is much higher.

---------------------------------------------------------------

This article may be republished freely providing proper acknowledgment is given to Nathaniel Fisher as the author. The following bio of the author must be included in all publication. www.fidelitynetworks.com