What is Security Posture? It is your overall security plan – the approach your business takes to security, from planning to implementation. It is comprised of technical and non-technical policies, procedures and controls, that protect you from both internal and external threats. No business, large or small, is safe from potential security breaches. Anyone is fair game.
Why do you need to worry?
- Hackers – Hackers scan networks for vulnerable systems that can be easily breached for malicious purposes. This can result in compromised data that, in turn, can cause lost customer confidence.
- Disgruntled Employees – Employees bearing a grudge could easily walk out your door with company data on removable media. They could send internal company data to an external source (ie. FTP, SSH, or email server) or simply destroy company data from within.
- Script Kiddies – Typically inexperienced hacker wannabes use tools which are freely available on the Internet (ie. LOIC – Low Orbit Ion Cannon or BackTrack 5). In the wrong hands, these tools can cause significant damage.
- Spammers – Exploit vulnerable email systems to relay spam email through your network infrastructure, often resulting in a network outage due to the traffic generated from your compromised network.
What can you do to protect yourself?
Determine what needs to be protected. This could include credit card numbers, confidential customer data, or corporate assets.
Figure out how your data might be acquired. A risk assessment should be conducted to determine any potential weak points in both your IT and physical controls.
Install controls to protect your data. This may be as simple as implementing a security awareness program for all employees, or as complex as installing a hardened network perimeter (ie. DLP or IDS systems). The scope of the controls will be determined by your financial situation and the likelihood of compromised data.
In the end, you need to decide how much risk you can accept. This will determine a security posture that suits the needs of your business.