Basic security principles.
In security in general and information security in particular, it is always wise to keep in mind the following three basic security principles:
- Find a balance between the use of your assets and their protection.
- A computer which is not connected to the Internet can not be attacked by
hackers. However, it might not be very useful and it might still be stolen
compromising the confidentiality of the information on it. Putting it in a
safe, with a security guard in front, makes it much more secure but even less
useful.
Applying this to a more practical situation, a computer that is only used for Internet banking, and only connected to the Internet when used for Internet banking, is much more secure than a computer also used for email and general Internet browsing. So, if you have a spare computer .... - Take a balanced approach to security.
- It is not very clever to have five locks on your front door, and no locks
on your windows. Still, lots of small business owners are worried about
Internet threats and implement lots of security measures to keep external
hackers out of their systems, but have little physical security to keep
someone from stealing their computers and robbing them of their major business
assets: The information on those systems.
To know what to protect in your particular situation you will need to do a thorough risk analysis. Without the information on what your major business assets are, and what the risks are to these assets, your systems will never be adequately protected. - Security is about limiting the damage resulting from any security
problems.
- Prevention is one of the best ways to limit the damage, but prevention is
never 100%. Hence, good security involves planning for failure of your
security measures.
Having a good backup strategy and other plans for business continuity is one aspect of this. Just as important, however, is to ensure that your systems are continually monitored to be able to detect when your prevention fails, so you can take action before major damage is done.
Good information security
involves applying every one of these basic security principles. Unfortunately,
the balance in the use of your assets and their protection has almost
disappeared in most business situations. If that's the case in your business as well,
prevention will be very costly and will be almost impossible anyway. Planning to limit
the damage of the inevitable security incidents should then almost always have
the highest priority.