Developing SETA Programs for Small Businesses

Size: px
Start display at page:

Download "Developing SETA Programs for Small Businesses"

Transcription

1 Developing SETA Programs for Small Businesses Stephen Townsend IS 8930 Information Security Administration Summer 2010 June 30, 2010 ABSTRACT Numerous studies show that small businesses are woefully insecure when it comes to their information systems and data. Reluctant management, lack of a dedicated IT staff, and unaware employees can all contribute to poor security within such an organization. The development of an effective SETA program takes the considerations of a small business into account. It covers not only what areas are the most cost-effective and prudent to pursue, but also the most efficient means of teaching the material and the motivational methods that ensure employees are compliant with the topics covered. Categories and Subject Descriptors K.6.6 [Management of Computing and Information Systems]: Project and People Management Training, management techniques, staffing. General Terms Management, Security, Awareness, Training Keywords Management 1. INTRODUCTION The purpose of this paper is to examine the development/design of security education, training, and awareness (SETA) programs for small businesses with a focus on raising security awareness for general users. While size standards vary in the U.S., the Small Business Administration [2010] typically identifies a small business as having less than 500 employees. Such organizations play an invaluable role in the U.S. economy by representing 99.7 percent of all employer firms and employing over half of all private sector employees [SBA 2010]. Despite the fact that many of these businesses operate locally and have little global impact, the information they collect and store can be sensitive for the party to which it belongs. Unfortunately, a 2009 study from McAfee shows that a majority of the small- and medium-sized business they surveyed spend less than 5 hours a week on proactive security (see Figure 1). In many cases management and employees of small businesses need to be made aware of the important role that information security plays Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. in their daily work and how to effectively implement it. However, it s no secret many small businesses do not have a dedicated information technology (IT) staff. Figure 1. More than half the small- and medium-sized businesses surveyed said they spend 5 hours or less per week on proactive security. Source: McAfee s The Security Paradox, 2009 A National Cyber Security Alliance study [2009] that polled about 1,500 small business owners shows that 86% of the businesses polled did not have anyone solely focused on IT security. In addition, a global study from McAfee and MSI International [2009] found that 75% of organizations polled cut or froze their IT security budgets in In an economic climate that calls for saving money at every possible juncture, support for information security can and does suffer. However, by approaching the development of a SETA program with the specific considerations of a small business in mind, solutions can be reached that ensure the best possible outcomes. The following text examines the many facets of designing such a program and is intended for use by either a security awareness training group or a business s IT staff, should it exist. 2. SMALL BUSINESS MANAGEMENT A small business s management plays an integral role in the development of a SETA program and as such warrants discussion first. For purposes of this text, management will refer to senior management, or top-level management, and not middle management, unless specifically noted. In many cases, management even serves as the company s functioning IT department (see Figure 2). A program without the support of management is certain to fail. They are the ones who give the goahead for such programs and as such should be made aware of their importance. The struggle to notify management of such a need has been a long-standing problem for many IT staffs. Because it is essential to convince management of the need for 1

2 the trust and respect they require to do their jobs. By considering this aspect of security beforehand, a training team and management can use this knowledge to more effectively present security topics during a presentation or meeting by defining what responsibilities an end user will have. This allows for tailored approaches to specific topics of discussion. Forging effective lines of communication with management early on and often in the process of developing a SETA program will be essential to ensuring the rest of the program is not simply a wasted effort of time and resources. Management should also be made aware that if they are not supportive of the goals of the program and do not show their employees how much it means to the business, then their employees are not likely to take it as seriously. If management is skeptical or unwilling to consider a SETA program from the start, then they must be convinced of why it is crucial. Figure 2. Fifty-nine percent of small business owners who did not have a dedicated IT staff said in an NCSA/Symantec survey that they were responsible for their business s IT. Source: Data from NCSA/Symantec Small Business Study, programs that raise security awareness, the next section is entirely devoted to how to deal with management that is reluctant. In this section, however, the status of management as a role model and supporter of security is examined. 2.1 Management as Role Models Members of management should know that they need to follow the security practices that are proposed during the program. While it seems like common sense, many managers fail to comply by the very procedures they expect their employees to follow. If management does not serve as a positive role model, they cannot expect their employees to be motivated and follow the security practices they are claiming to endorse. Management should also follow the security practices espoused by the program because they are the ones that can put the organization at the most risk. The information they can access and data they are in control of can be much more important than the data regular employees deal with on a daily basis. 2.2 Controls versus Trust While a healthy mix of trust and controls is needed to ensure employees fulfill their security duties, management should not overdo one or the other. It may seem premature to be discussing a decision such as this before the actual program. Yet it is necessary to note that this balance is one that will vary from business to business, and in designing a SETA program it will be necessary to note areas where the organization uses more controls and areas where they grant more freedom. Controls are effective tools for ensuring employees follow the security guidelines set forth by the organization, but add too many and they can become a hindrance on daily routines. Likewise, too much trust in employees to perform their security duties could lead to damage from incidents related to negligence. By incorporating both in healthy amounts, management can keep an eye on employees while still giving them 3. ADDRESSING THE ISSUES There are several reasons why small businesses are averse to designing and/or reinforcing security practices, and they should be addressed before the development of a SETA program can take place. Bringing these faulty assumptions to light can help convince management that action is needed, or it can strengthen their resolve to implement security measures. 3.1 Why Does My Business Need Security? One assumption owners and managers of small businesses that employ minimal security have is that they do not really need a SETA program because they have less to lose than big corporations and therefore will not be targets. In the global McAfee study [2009], which looked at medium-sized businesses (51 to 1,000 employees), they estimated that "almost half of midsize organizations around the world think companies with more than 500 employees are most at risk for a security attack. Many smaller organizations believe that their data is nowhere near as valuable as their larger counterparts." However, those from businesses with less than 500 employees were found to have suffered from more security incidents on average than individuals from larger organizations, and smaller businesses are far less likely to have policies and resources in place to recover from attacks. While it is not true in every case, the McAfee study [2009] also provides data to claim it is more costly to remediate a successful attack than to prevent one in the first place How Small Businesses Become Victims In an online news article on cyber security, Eric Shorr, president of an IT services firm, said in an interview that small businesses are a popular mark for hackers, who target unsuspecting smallbusiness networks and individual computers so that they can anonymously reach their intended high-profile victims [Nesi 2008]. Many other attacks have no intended target at all, and simply seek out unprotected systems from which to launch attacks. While small businesses may not be the intended target of a threat, it does not mean their systems cannot be used by attackers. These attacks almost always occur over the Internet, which affects all types of organizations and can wipe a small business out, making the need for proper security as well as trained and aware staff a top priority. According to the National Cyber Security Alliance study [2009], 75% of small businesses 2

3 said that they use the Internet to communicate with customers. Increasing use of such technology opens the doors for attackers, and the sooner management is made aware of the risks, the sooner a program can be developed It Won t Happen to Me A real-world example of how no business is safe, no matter its size, can be seen by the MyDoom worm, which accounted for 30% of all traffic in February 2004 and affected nearly one in three small businesses [U.S. Chamber of Commerce 2004]. Small business management should be made aware that the it won t happen to me approach is simply not sufficient. A company s IT department can also appeal to management by highlighting the importance of protecting customer data. This is essential for small businesses in particular because of the personal relationships they have with their customers compared to larger organizations. Every single positive relationship is a boon to small businesses, so ensuring this data is safe from threats and harm can foster trust with clientele But What if it Does? Richard Kissel [2009] provides a good example of how a SETA program can save a small business money in the long run. He notes that less obvious costs can often go unnoticed by a small business until it s too late. For example, if a small business suffers a security breach because of insufficient awareness and/or training on behalf of its employees, then it may have to notify all of its customers per state law. He says the average cost of such notifications is over $130 per person, which would make an incident that affected 1,000 customers cost about $130,000. This does not take into account the added losses of customers who will take their business elsewhere. For a small business, employees are the most valuable resource and also the most dangerous. When properly trained and aware of threats and risks, they can potentially save a company thousands. Likewise, if they are ignorant and inexperienced, they can cause irreparable damage. 4. THE SETA PROGRAM The development of an effective SETA program for a small business follows the standard methodology of any other program, but it should also take into consideration several key areas of interest. While some specific training topics will be covered in detail later, first it s necessary to analyze the general structure of how the program will be designed. While many methodologies exist on which to base a SETA program, the fundamentals remain the same. As was noted in the introduction, small businesses rarely have dedicated information technology staff, let alone a dedicated information security staff. For this reason the training party should take extra care to remain on the same page as management throughout the development process. A later section examines some points of interest for small businesses that have their own IT departments. 4.1 Identifying Program Goals The program will likely focus both on reinforcing behavior and thus emphasizing awareness, and teaching and applying skills and thus emphasizing training [NIST-SP ]. This section primarily focuses on awareness, which affects all small business employees that work with technology. Many of the tasks that will be covered such as creating strong passwords and practicing good habits do not require extensive, specialized training, but rather end user understanding and compliance. As National Institute of Standards and Technology (NIST) Special Publication states, The fundamental value of IT security awareness programs is that they set the stage for training by bringing about a change in attitudes which change the organizational culture. The cultural change is the realization that IT security is critical because a security failure has potentially adverse consequences for everyone [NIST-SP ]. In other words, before small business employees can start practicing better habits, they should be made aware of their importance. This focus on employees is necessary because, as K. Rudolph [2001], primary author of the security awareness chapter in the Computer Security Handbook and participant of the group that created NIST SP states, a small business s staff is one of its most cost-effective defenses against security incidents, and their compliance with security policy can make or break a program. She says, awareness is the most important part of a business s security program and that experts suggest 40 percent of a security budget should be spend on awareness measures Identifying Training Needs Training and awareness solutions also should be cost-effective, because most small businesses are already suffering in the current economic climate. They also must be feasible, or solutions the employees of the business will actually do. Anything too technical that might require the addition or expansion of a security staff is unlikely to be as successful. Small businesses can often have the benefit of being able to gather input from all of their employees as to what areas they feel should be covered. This is something that larger organizations of thousands of employees cannot possibly accomplish. Rather than assuming what employees will need to know or learn, it is much more effective to get a feeling first of what security practices are working and strong, and which are dysfunctional and weak. 4.2 Target Audience Both the Instructional Systems Design process and the NIST-SP stress the importance of identifying the target audience early in the design process [Gilbert 2003]. For small businesses, this means determining whether everyone needs to participate or whether only a specific group requires training. This group could be identified by the training party or by management. It can include a small group of individuals or the entire staff of a small business. Determining who will be participating in the program is essential because it will help in deciding how the group should be divided. Keeping with the rest of the text, this section focuses on a small business s general end users and not its specific IT department or middle management Audience Considerations As Chelsa Russell [2002] notes, there are many obstacles related to the target audience that can hamper security efforts. Many small business employees have no formal computer training or have developed bad habits through the years. Such users often view security as unnecessary, because they have managed to do their jobs without such knowledge up until this point. They should be made aware of how their previous actions may have adversely affected the business. 3

4 Many users look at security as something that is not their concern. An internal or external IT group is responsible for all related matters in their minds, and their role is simply to follow company policy. Yet often an internal IT department for a small business is only a single person, and external groups do not have the same level of integration as regular employees. These users should be made to understand that security efforts are everyone s responsibility, not simply the party who has it listed in their job description. 4.3 Delivery Methods A SETA program can employ many different approaches when it comes to the delivery method of the material. Cost and intimacy of the delivery method are often crucial factors. While a one-onone approach is the most personal and can ensure the needs of the trainee are met, it is also costly [Whitman and Mattord 2010]. This can be the deciding factor for a small business. A cost-saving approach divides employees into small groups, which still offers interaction but at the cost of difficult scheduling. Perhaps the most economical approach is web-based learning, which favors cost and convenience over personalized learning. Other approaches exist, but ultimately a small business should weigh the pros and cons of each and compare the potential outcomes with the proposed program s goals. Very small businesses of only a few employees who require training may want to consider investing in one-on-one training to ensure their employees get the best possible experience. Others may be in a financial position such that online training is their only option. Management of the latter should understand that the cheaper and quicker the program, the more it should be reinforced in the workplace down the line. A later section will examine developing plans to motivate employees to follow correct security procedures. If a small business chooses to divide its employees into groups for training, it should first define what types of users will be in each group and how those groups will be defined. This can occur in a number of ways, but as Whitman [2010] states, Training is most effective when it is designed for a specific category of user. For example, any training for an IT staff of a small business is likely to be separate from the end user awareness program because of its technical nature. Ordinary employees will be confused by the jargon used in such courses. Likewise, any users, not just IT staff, who are deemed to be computer-savvy, may require different training from those who need a broader, generalized approach. Such tactics are used in organizations both large and small, but tailoring the program to meet the needs of each individual user is something that is particularly important in small business. In such organizations one individual or a very small group of individuals can account for an enormous amount of productivity. Ensuring these individuals receive the best possible training will serve to further safeguard a small business. One benefit small business has is that it can very effectively get the right message to the right audience. While bigger organizations struggle with making sure each subunit within the organization is exposed to the right kind of information in a program, smaller businesses have less people and thus can focus more on what each particular group or individual needs. 4.4 What Should the Program Include? Designing what will be included in the program will differ from case to case. The following are some awareness topics taken from 4 the NIST-SP and the U.S. Chamber of Commerce s cyber security guide [2004] for small businesses. These topics should be compared to the business s current policies, if they exist, and adapted accordingly. Some of the topics deal directly with end users, while others concern the IT staff or outside IT group of a small business, should one exist. Almost all of them are costeffective and require basic technical skills. Creating an effective motivation program is an integral part of enforcing compliance with these topics and will be discussed subsequently Passwords Anyone who uses computers in a small business should have to deal with passwords on a daily basis. They grant access to computer systems, programs, communications and more. The purpose of this topic is to educate those who are ignorant of proper password practices and reinforce its importance to those who simply fail to comply. Employees should be made aware of the techniques attackers use and how good passwords can stop them. Figure 3. A study of small- and medium-sized businesses in the U.S. shows that senior management is most worried about and Internet security. Source: GFI Security Study, Physical Access Controls Even with good passwords, individuals can and do access data on computers if they can simply get their hands on them. By emphasizing to end users the importance of securing their machines before leaving for the day or setting up a screen lock/auto logoff when a computer is inactive, more physical access incidents can be avoided Small businesses are increasingly using as the primary means of communicating within the organization. This widespread use makes educating users about potentially malicious attachments a top priority for small businesses. A GFI study [2007] of 455 small- and medium-sized businesses found that 39% of senior executives said viruses were their greatest security risk (see Figure 3). Every user needs to be made aware of the dangers of attachments. If a business has an IT staff, then management might consider in-house solutions to

5 monitor and restrict access to potentially dangerous content. This can also help with employee compliance if they know they re being monitored Social Engineering Russell [2002] notes that social engineering is one of the most important topics to address because it feeds on human tendency to help others. Friendliness and congeniality are typical traits favored by small businesses because of the need to appear approachable and welcoming to customers. Small businesses often prefer to differentiate themselves from bigger chain stores in this fashion. However, many attackers can use this to their advantage by impersonating customers or some other related party and tricking employees into giving information. Policies should be in place that explain how the identity of a caller should be authenticated and how information should be handled in various forms of communication. Including it as a topic in security awareness sessions can help reinforce these existing policies Firewalls and Antivirus Software Firewalls and antivirus software are essential components in the IT infrastructure of any small business because they help block out potentially damaging access and threats to a network. According to the GFI study [2007], 90% of small businesses surveyed said they had a firewall installed and 96% said they employed antivirus software. Yet the issue here is not the installation of such controls, but compliance with them. While the setting up and maintenance of these security components are under the care of the group responsible for a company s IT, users should also be made aware of their importance and functionality. Employees should know how to tell if and when such services are turned on and how to resolve issues if they are blocking a particular service they are trying to access. Employees struggles with trying to access data that is blocked should be addressed, as should management s promise that the issue will be solved in a timely manner without compromising security Creating backups If a business is small enough, it may rely on its employees to back up their own data. If a small business has no backup plan, then now is a good time to consider one. Users should be made aware of the importance of this process and how it could mean saving their employment. If important data has not been backed up and is lost during an incident, the company may be forced to shut down. Effective backups can and have saved companies from going under, and in some cases it is the employee s responsibility to ensure they take place. These are just a few of the topics that may be covered by the program, and many more can be found in electronic documents on the Internet at websites such as the National Institute of Standards and Technology (www.nist.gov) and SANS (www.sans.org). One thing they should all strive to accomplish, however, is an explanation of why the topics are important. Instead of simply telling users to adopt new and often more complicated daily practices, an effective program should also detail why certain current practices are insecure and thus help motivate users to be accountable [Russell 2002]. 4.5 A Small Business s IT Staff A small business with a couple hundred employees will likely have an IT group dedicated to performing many of the tasks described previously. The size and scope of this staff will determine what kind of support they can provide for the SETA program. During the development process of the program, any assistance that will be required from them should be communicated. In the previous topic examples, IT might be responsible for password management and monitoring. In this case the end users should be made aware of how the IT staff conducts such operations (in basic terms) so they can better understand their duties and responsibilities. Training and awareness specifically for the IT group includes its own distinct challenges and falls outside the scope of this article. Often such programs include terms and jargon that are easily understood by IT professionals and proceed at a much quicker pace. 4.6 When Should It be Conducted? Monthly versus Annually Once a delivery method and program content are designed, a time should be chosen to conduct the sessions. This also will differ depending on the company, its hours of operation, and the amount of free time it can grant to its employees. A greater decision a business must make is whether to conduct these sessions on a regular basis, once a year, or both. Lance Spitzner, an IS professional with more than 15 years experience, previous senior security architect for Sun Microsystems, and original faculty member of the SANS institute, suggests both. He says that while an annual program ensures everyone learns key topics, most individuals will quickly forget what they learned. Likewise, monthly programs could leave a company insecure while it waits to cover a certain topic. For this reason Spitzner [2010] recommends having an annual program that everyone takes, and a monthly program that reinforces important topics that might be of particular relevance to a small business New Hires Many small businesses experience a high turnover rate, especially in low-level positions that are fulfilled by part-time employees. This provides a specific set of challenges to a small business seeking to ensure all of its employees are up-to-date on security protocols and policy. As part of the development of a SETA program for a small business, it might be prudent to consider the creation of an orientation security packet that highlights key areas and can be given to any new hires. It is important current employees buy in to the business s culture because it will serve as an example that new hires can learn from. However, a new hire can just as easily mimic bad behavior as they can good behavior, so current employees need to know their role in supervising and training new staff. 5. MOTIVATION The development process isn t finished when the program s design and content is determined. Additional methods should be considered and devised to ensure employees follow the recommended security procedures. In a small business, the need for management to motivate employees is magnified, and by letting employees know exactly what is expected of them, management can more efficiently inspire them to follow proper 5

6 security practices. This process of motivation covers what must be done after a program is implemented, but should also be planned for during the development stages of a SETA program. 5.1 Rewards and Penalties According to Donn B. Parker [2002], CISSP, 2008 Fellow of the Association for Computing Machinery, motivation is essential to making SETA programs effective, and in many cases awareness programs can result in less security in its absence. He says that security awareness may, in fact, enlighten employees as to ways they can bypass security and become more efficient at the work for which they are paid. To combat this, rewards and penalties can be implemented to motivate employees effective use of security because they are traditional and controllable. If users are rewarded for using good practices or know there will be consequences for poor behavior, then they will be more likely to follow what they learned in the program [Parker 2002]. In smaller businesses management can have an extremely positive impact on the motivation of staff to practice good security habits. By encouraging employees and rewarding them when they do things the right way, management can show that security is a top priority of the organization and thus assimilate good practices into the company s culture. 5.2 Making It Personal William Hubbard [2002] explains that personalizing reminders and messages relating to the importance of security can make employees think about how a particular issue will affect them directly. Small business can achieve this by s or bulletins that everyone in the organization sees on a daily basis. Because of the close-knit atmosphere of small businesses it can be much easier for them to instill vested interests in their employees compared to larger organizations that have thousands of workers. The ultimate goal is to have every individual in a small business to be aware of how their actions affect not only themselves, but also the company and everyone related to it. 5.3 Promoting Security Promoting security can often be a challenge and should also be included in the design stages of the SETA program. This step addresses the issue of how to keep security on everyone s mind days, weeks, and even months after the program is over. According to the NCSA study [2009] 90% of businesses polled did not have workplace signage that helps keeps IT security and Internet safety awareness at the top of the mind for employees. Yet without this reinforcement, employees are not likely to be compliant. Parker [2002] suggests avoiding cliché, trite instructional videos that may have a negative effect on security efforts. Such material can offend the intelligence of employees by portraying extremely obvious security breaches and their solutions. Posters are a great way to draw attention to security, but they should not be displayed for long periods of time or they risk becoming ignored. One way to solve this is to have poster design contests that are displayed periodically. If a small business chooses to go with a monthly approach to security topics, then the current topic could be the theme for posters around the office. In addition, many websites offer free promotional materials that small businesses can use to save money. Examples are: Offers free materials such as awareness posters and more. Offers personalized training messages for end users. Offers free materials for small businesses in a large, downloadable package. 6. CONCLUSION Designing a SETA program for a small business is in many ways unlike developing a similar program for a much larger organization. While many of the fundamental concepts such as group size and topic discussion must be taken into account, smaller businesses have a host of unique considerations that warrant a more specialized approach. In some cases a small business s management may feel like they are not a target of attacks and therefore do not see a need for spending resources on increased awareness. Yet many high-profile attacks can and have occurred, and they have shut down many small businesses that were not prepared for them. More and more small businesses are trying to do more with less as the economy struggles to fully rebound. Yet failure to secure assets or information in even one instance can spell disaster for a small business. Employees are the best defense against such incidents and the development of an effective SETA program for a small business can ensure they are trained and aware. The actual approach of a SETA program for a small business will differ on a case by case basis. Yet many characteristics of small businesses, such as their smaller number of employees and more personal relationships with customers, remain the same across the board. A business with fewer employees can opt to provide much more personalized training sessions to ensure they fully understand the topic material. For those with a tight budget, costeffective web-based solutions exist, as do free promotional materials. The absence of a group whose sole duty is related to IT also means that each and every employee should be aware of their actions and how they can affect the organization. Rewards and penalties are more likely to be effective in motivating employees to adopt such an attitude because in smaller businesses it is feasible that everyone in the organization will know of a person s accomplishments or shortcomings. This can either motivate people to perform well or deter them from not being compliant. Ultimately a small business s management should integrate security awareness into the organization s culture if it is to be accepted by employees. A SETA program can aid in this task, and it does not need to be costly. Leading by example and showing employees that security is a priority will motivate them to do their part not only for their own benefit, but also for the business as a whole. 7. REFERENCES [1] GFI. (2007). Security survey in the United States. Study. Retrieved from: [2] Gilbert, C. (2003). Developing an Integrated Security Training, Awareness, and Education Program. SANS Institute Reading Room. Retrieved from: [3] Hubbard, W. (2002). Methods and Techniques of Implementing a Security Awareness Program. Sans Institute 6

7 Reading Room. Retrieved from: ethods-techniques-implementing-security-awarenessprogram_417. [4] Kissel, R. (2009). Small Business Information Security: The Fundamentals (Draft). Retrieved from: pdf. [5] McAfee, Inc. (2009). The Security Paradox. Study. Retrieved from: html. [6] National Cyber Security Alliance, Symantec. (2009) NCSA / Symantec Small Business Study. Study. Retrieved from: BStudy2009%20FINAL.pdf. [7] National Institute of Standards and Technology. Information Technology Security Training Requirements. NIST-SP Retrieved from: [8] National Institute of Standards and Technology. Building an Information Technology Security Awareness and Training Program. NIST-SP Retrieved from: SP pdf. [9] Nesi, T. (Nov. 5, 2008). Study: Americans' cyber security awareness uneven. Providence Business News, 2010, from https://www.pbn.com/detail/36030.html?sub_id=36030&prin t=1. [10] Parker, D. B. (2002). Motivating the Workforce to Support Security Objectives: A Long-Term View. Retrieved from: [11] Rudolph, K. (2001). Computer Security Handbook 4th edition. Retrieved from: [12] Russell, C. (2002). Security Awareness Implementing an Effective Strategy. SANS Institute Reading Room. Retrieved from: curity-awareness-implementing-effective-strategy_418. [13] Small Business Administration. (2010). Small Business Size Standards. Retrieved from: dex.html. [14] Small Business Administration Office of Advocacy. (2010). Frequently Asked Questions. Retrieved from: [15] Spitzner, L. (2010). Security Awareness Programs Monthly or Annual? Securing The Human. Retrieved from: [16] U.S. Chamber of Commerce. (2004). Commonsense Guide to Cyber Security for Small Businesses. Study. Retrieved from: bersecurity.htm. [17] Whitman, M. E. & Mattord, H. J. (2010). Management of Information Security. (pp. 196). Boston, MA: Course Technology, Cengage Learning. 7

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem Security & SMEs An Introduction by Jan Gessin Introduction to the problem SMEs convinced it will never happen to them. In many ways SMEs are more of a target than big business. Harsh realities of the online

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

Business Case. for an. Information Security Awareness Program

Business Case. for an. Information Security Awareness Program Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security

More information

Building a Business Case:

Building a Business Case: Building a Business Case: Cloud-Based Security for Small and Medium-Size Businesses table of contents + Key Business Drivers... 3... 4... 6 A TechTarget White Paper brought to you by Investing in IT security

More information

Hospitality Cloud+Plus. How Technology Can Benefit Your Hotel LIMOTTA IT. LIMOTTAIT.com/hospitality 888 884 6278

Hospitality Cloud+Plus. How Technology Can Benefit Your Hotel LIMOTTA IT. LIMOTTAIT.com/hospitality 888 884 6278 Hospitality Cloud+Plus How Technology Can Benefit Your Hotel LIMOTTA IT LIMOTTAIT.com/hospitality 888 884 6278 Content + + About Us PCI Compliance + Virtualization + + + Unified Technology Single Sign

More information

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15. NCS 330 Information Assurance Policies, Ethics and Disaster Recovery NYC University Polices and Standards 4/15/15 Jess Yanarella Table of Contents: Introduction: Part One: Risk Analysis Threats Vulnerabilities

More information

Cyber Security Strategies for the Small Business Market

Cyber Security Strategies for the Small Business Market Cyber Security Strategies for the Small Business Market Solutions for Small Business Reports are designed to demonstrate how new technologies enabled by cable providers help small business owners and managers

More information

Cyber Security Strategies for the Small Business Market

Cyber Security Strategies for the Small Business Market ThisIsCable for Business Report Series Cyber Security Strategies for the Small Business Market White Paper Produced by BizTechReports.com Editorial Director: Lane F. Cooper Research Assistant: Will Frey

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Global Corporate IT Security Risks: 2013

Global Corporate IT Security Risks: 2013 Global Corporate IT Security Risks: 2013 May 2013 For Kaspersky Lab, the world s largest private developer of advanced security solutions for home users and corporate IT infrastructures, meeting the needs

More information

Security Awareness Planning. Christopher R. Johnson University of Advancing Technology May 29, 2012

Security Awareness Planning. Christopher R. Johnson University of Advancing Technology May 29, 2012 Security Awareness Planning Christopher R. Johnson University of Advancing Technology May 29, 2012 Why is security awareness important? Security awareness is a critical part of an overall strategy to control

More information

Conquering PCI DSS Compliance

Conquering PCI DSS Compliance Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,

More information

MIIT PROMULGATES TWO REGULATIONS FOR REPORTING AND HANDLING CYBERCRIME

MIIT PROMULGATES TWO REGULATIONS FOR REPORTING AND HANDLING CYBERCRIME TMT Newsletter 22 June 2009 - TransAsia Lawyers Page 1 of 5 PRC Telecoms, Media & Technology Law Newsletter 22 June 2009 MIIT PROMULGATES TWO REGULATIONS FOR REPORTING AND HANDLING CYBERCRIME Background

More information

Priority III: A National Cyberspace Security Awareness and Training Program

Priority III: A National Cyberspace Security Awareness and Training Program Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.

More information

Top five strategies for combating modern threats Is anti-virus dead?

Top five strategies for combating modern threats Is anti-virus dead? Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

More information

82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff

82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff 82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff Social engineering is the term that hackers use to describe attempts to obtain information about computer systems through

More information

What You Should Know About Cloud- Based Data Backup

What You Should Know About Cloud- Based Data Backup What You Should Know About Cloud- Based Data Backup An Executive s Guide to Data Backup and Disaster Recovery Matt Zeman 3Fold IT, LLC PO Box #1350 Grafton, WI 53024 Telephone: (844) 3Fold IT Email: Matt@3FoldIT.com

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Developing the Security Program Jan 27, 2005 Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives

More information

always on meet the it department PROPHET managed services ebook Business Group Meet the Always On IT Department

always on meet the it department PROPHET managed services ebook Business Group Meet the Always On IT Department managed services ebook Meet the Always On IT Department meet the always on it department PROPHET Business Group 1 MEET THE ALWAYS ON IT DEPARTMENT As IT gets more complicated it gets easier for the daily

More information

Small Business Checkup

Small Business Checkup Small Business Checkup How healthy is your business? www.aretehr.com TABLE OF CONTENTS The Four Keys to Business Health... 3 Management & Operations... 4 Marketing... 6 Financial & Legal... 8 Human Resources...

More information

SMALL BUSINESS REPUTATION & THE CYBER RISK

SMALL BUSINESS REPUTATION & THE CYBER RISK SMALL BUSINESS REPUTATION & THE CYBER RISK Executive summary In the past few years there has been a rapid expansion in the development and adoption of new communications technologies which continue to

More information

Pretexting Prevention: Minimizing Inbound and Outbound Risks

Pretexting Prevention: Minimizing Inbound and Outbound Risks TM Pretexting Prevention: Minimizing Inbound and Outbound Risks Matthew Leonard CIPP and Senior Fellow of the Ponemon Institute Ted Frank President and Co-founder Axentis, Inc Pretexting: The Two-Fold

More information

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS Learn more about Symantec security here OVERVIEW Data and communication protection isn t a problem limited to large enterprises. Small and

More information

DESCRIBING OUR COMPETENCIES. new thinking at work

DESCRIBING OUR COMPETENCIES. new thinking at work DESCRIBING OUR COMPETENCIES new thinking at work OUR COMPETENCIES - AT A GLANCE 2 PERSONAL EFFECTIVENESS Influencing Communicating Self-development Decision-making PROVIDING EXCELLENT CUSTOMER SERVICE

More information

DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by

DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by DRAFT Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security Presented by The American Bankers Association National Bank Card Fraud Task Force in an effort to give consumers

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

Getting a Secure Intranet

Getting a Secure Intranet 61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like

More information

Chapter 7 Information System Security and Control

Chapter 7 Information System Security and Control Chapter 7 Information System Security and Control Essay Questions: 1. Hackers and their companion viruses are an increasing problem, especially on the Internet. What can a digital company do to protect

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security

More information

Email Security: A Holistic Approach for SMB. 041: Email Security. Insight White Paper

Email Security: A Holistic Approach for SMB. 041: Email Security. Insight White Paper Implementing the latest anti-virus software and security protection systems can prevent many internal and external threats. But these security solutions have to be updated regularly to keep up with new

More information

Corporate Security in 2016.

Corporate Security in 2016. Corporate Security in 2016. A QA Report Study Highlights According to ThreatMetrix, businesses in the UK are at greater risk of cybercrime than any other country in the world. In a recent survey carried

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Computer Viruses: How to Avoid Infection

Computer Viruses: How to Avoid Infection Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information

Best Practices Top 10: Keep your e-marketing safe from threats

Best Practices Top 10: Keep your e-marketing safe from threats Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign

More information

2012 NCSA / Symantec. National Small Business Study

2012 NCSA / Symantec. National Small Business Study 2012 NCSA / Symantec National Small Business Study National Cyber Security Alliance Symantec JZ Analytics October 2012 Methodology and Sample Characteristics JZ Analytics was commissioned by the National

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA Report of an investigation of a malicious software outbreak affecting health information August 19, 2011 Dr. Cathy MacLean Investigation Report H2011-IR-003

More information

AN INFORMATION GOVERNANCE BEST

AN INFORMATION GOVERNANCE BEST SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN

More information

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily

More information

Global IT Security Risks: 2012

Global IT Security Risks: 2012 Global IT Security Risks: 2012 Kaspersky Lab is a leading developer of secure content and threat management solutions and was recently named a Leader in the Gartner Magic Quadrant for Endpoint Protection

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

Account Information Security. Merchant Guide

Account Information Security. Merchant Guide Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer

More information

Corporate Incident Response. Why You Can t Afford to Ignore It

Corporate Incident Response. Why You Can t Afford to Ignore It Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

White Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

White Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME: The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations

More information

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security 4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A 0 2 4 5 1 7 8 1. 8 1 0. 4 3 2 0 w w w. v i e w f i n i t y. c o m Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

More information

EXECUTIVE SAFETY LEADERSHIP

EXECUTIVE SAFETY LEADERSHIP EXECUTIVE SAFETY LEADERSHIP EXECUTIVE SUMMARY This guide offers clear explanations of health and safety concepts that are important to executives and board members, and provides practical solutions that

More information

INSIDE. Cyberterrorism and the Home User By Sarah Gordon, Senior Research Fellow

INSIDE. Cyberterrorism and the Home User By Sarah Gordon, Senior Research Fellow Symantec Security Response WHITE PAPER Cyberterrorism and the Home User By Sarah Gordon, Senior Research Fellow Symantec Security Response INSIDE What it is? How does this affect me? What can I do to make

More information

Information Security Incident Management Process

Information Security Incident Management Process Information Security Incident Management Process Anna Kostina +7-903-586-45-47 formosa@mail.ru Natalia Miloslavskaya Kashirskoe highway,31 Moscow, Russia +7-495-323-90-84 milmur@mephi.edu Alexander Tolstoy

More information

Practical guide for secure Christmas shopping. Navid

Practical guide for secure Christmas shopping. Navid Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security

More information

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics SBA Cybersecurity for Small Businesses 1.1 Introduction Welcome to SBA s online training course: Cybersecurity for Small Businesses. SBA s Office of Entrepreneurship Education provides this self-paced

More information

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 Cybersecurity: A Growing Concern for All Businesses RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015 RLI Design Professionals is a Registered Provider with The American

More information

How to launch new employees to success

How to launch new employees to success White Paper How to launch new employees to success with behavioral onboarding techniques Executive summary Launch or no launch is the most important decision a hiring manager can make when looking for

More information

Eliminating Infrastructure Weaknesses with Vulnerability Management

Eliminating Infrastructure Weaknesses with Vulnerability Management A Guidance Consulting White Paper P.O. Box 3322 Suwanee, GA 30024 678-528-2681 http://www.guidance-consulting.com Eliminating Infrastructure Weaknesses with Vulnerability Management By Guidance Consulting,

More information

Computer Security Maintenance Information and Self-Check Activities

Computer Security Maintenance Information and Self-Check Activities Computer Security Maintenance Information and Self-Check Activities Overview Unlike what many people think, computers are not designed to be maintenance free. Just like cars they need routine maintenance.

More information

Best Practices for Building a Security Operations Center

Best Practices for Building a Security Operations Center OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,

More information

Security Patch Management

Security Patch Management The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1

More information

PREPARED TESTIMONY OF THE NATIONAL CYBER SECURITY ALLIANCE MICHAEL KAISER, EXECUTIVE DIRECTOR ON THE STATE OF CYBERSECURITY AND SMALL BUSINESS

PREPARED TESTIMONY OF THE NATIONAL CYBER SECURITY ALLIANCE MICHAEL KAISER, EXECUTIVE DIRECTOR ON THE STATE OF CYBERSECURITY AND SMALL BUSINESS PREPARED TESTIMONY OF THE NATIONAL CYBER SECURITY ALLIANCE MICHAEL KAISER, EXECUTIVE DIRECTOR ON THE STATE OF CYBERSECURITY AND SMALL BUSINESS BEFORE THE COMMITTEE ON HOUSE SMALL BUSINESS SUBCOMMITTEE

More information

Best Practices Call Center Wallboards July 2014

Best Practices Call Center Wallboards July 2014 Best Practices Call Center Wallboards July 2014 The purpose of Call Center Best Practices is for managers to be able to improve the call center productivity and efficiencies. Productivity and efficiency

More information

CYBER STREETWISE. Open for Business

CYBER STREETWISE. Open for Business CYBER STREETWISE Open for Business As digital technologies transform the way we live and work, they also change the way that business is being done. There are massive opportunities for businesses that

More information

Business Continuity Training and Testing: Narrowing the Gaps

Business Continuity Training and Testing: Narrowing the Gaps Business Continuity Training and Testing: Narrowing the Gaps Betty A. Kildow, CBCP, FBCI, Emergency Management Consultant Kildow Consulting 765/483-9365; BettyKildow@insightbb.com 93 nd Annual International

More information

Malware isn t The only Threat on Your Endpoints

Malware isn t The only Threat on Your Endpoints Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks

More information

Department of Education. Network Security Controls. Information Technology Audit

Department of Education. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL

More information

Survey: Small Business Security

Survey: Small Business Security Survey: Small Business Security A look at small business security perceptions and habits at each phase of business growth. www.csid.com SUMMARY Many small to medium-sized businesses (SMBs) are not taking

More information

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level

More information

Delaware State University Policy

Delaware State University Policy Delaware State University Policy Title: Delaware State University Acceptable Use Policy Board approval date: TBD Related Policies and Procedures: Delaware State University Acceptable Use Policy A Message

More information

Presentation. Introduction Basic Leadership Styles Other Leadership Styles Conclusion

Presentation. Introduction Basic Leadership Styles Other Leadership Styles Conclusion Leadership Styles Presentation Introduction Basic Leadership Styles Other Leadership Styles Conclusion Introduction A groom spent days in combing and rubbing down his horse, But stole oats and sold them

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

Beyond the Hype: Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,

More information

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions SURVEY REPORT: cyber security Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions Confidence in a connected world. Executive summary An online survey revealed that while U.S.

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Oregon Secretary of State Security Awareness Program Strategic Plan Recommendation

Oregon Secretary of State Security Awareness Program Strategic Plan Recommendation Oregon Secretary of State Security Awareness Program Prepared by: Information Systems Division On: July 31, 2008 - Focused on Security. Dedicated to Success. - Revised 9/4/2008 4:30 PM Document History...

More information

A Detailed Strategy for Managing Corporation Cyber War Security

A Detailed Strategy for Managing Corporation Cyber War Security A Detailed Strategy for Managing Corporation Cyber War Security Walid Al-Ahmad Department of Computer Science, Gulf University for Science & Technology Kuwait alahmed.w@gust.edu.kw ABSTRACT Modern corporations

More information

How to get profit-creating information from your accountant

How to get profit-creating information from your accountant How to get profit-creating information from your accountant What a tailored accounting service can do for you How could you get much more out of the accounting service you re already paying for? Possibly

More information

October Is National Cyber Security Awareness Month!

October Is National Cyber Security Awareness Month! (0 West Virginia Executive Branch Privacy Tip October Is National Cyber Security Awareness Month! In recognition of National Cyber Security Month, we are supplying tips to keep you safe in your work life

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise White Paper Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical

More information

FREE REPORT: Answers To The Top 5 Questions Business Owners Have About Cloud Computing

FREE REPORT: Answers To The Top 5 Questions Business Owners Have About Cloud Computing FREE REPORT: Answers To The Top 5 Questions Business Owners Have About Cloud Computing Discover What Most IT Consultants Don t Know Or Won t Tell You About Moving Your Company s Network To The Cloud By

More information

Fraud Prevention Checklist for Small Businesses

Fraud Prevention Checklist for Small Businesses Fraud Prevention Checklist for Small Businesses 11 Ways to Minimize the Risk and Impact PAYMENT SOLUTIONS Fraud can have a devastating impact on small businesses. Prevention and mitigation strategies can

More information

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing

More information

Data Security. So many businesses leave their data exposed, That doesn t mean you have to. 2014 Computerbilities, Inc.

Data Security. So many businesses leave their data exposed, That doesn t mean you have to. 2014 Computerbilities, Inc. Data Security So many businesses leave their data exposed, That doesn t mean you have to. 2014 Computerbilities, Inc. Table of Contents: 1. Introduction 3 2. Cybersecurity: The loopholes in the system

More information

NIAP Certification: Proposals by CSIA for Strengthening Security Certification. July 23, 2004. Cyber Security Industry Alliance NIAP Briefing Page 0

NIAP Certification: Proposals by CSIA for Strengthening Security Certification. July 23, 2004. Cyber Security Industry Alliance NIAP Briefing Page 0 NIAP Certification: Proposals by CSIA for Strengthening Security Certification July 23, 2004 Cyber Security Industry Alliance NIAP Briefing Page 0 SUMMARY CONTENTS Summary......1 NIAP s Charter......2

More information

What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape Contents Introduction 2 Many SMBs Are Unaware Of Threats 3 Many SMBs Are Exposed To Threats 5 Recommendations

More information

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS, and Patti Firouzan, MS, RHIA Department of Health Information

More information

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions Website Security: How to Avoid a Website Breach Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions www.caretech.com > 877.700.8324 An enterprise s website is now

More information

SMALL BUSINESS PRESENTATION

SMALL BUSINESS PRESENTATION STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department

More information

Security Basics: A Whitepaper

Security Basics: A Whitepaper Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

BUSINESS COMPUTER SECURITY. aaa BUSINESS SECURITY SECURITY FOR LIFE

BUSINESS COMPUTER SECURITY. aaa BUSINESS SECURITY SECURITY FOR LIFE aaa BUSINESS SECURITY SECURITY FOR LIFE CHAPTER 1: WHY COMPUTER SECURITY IS IMPORTANT FOR YOUR BUSINESS No matter how big or small your business is, it s highly likely that you have some information stored

More information

2011 NATIONAL SMALL BUSINESS STUDY

2011 NATIONAL SMALL BUSINESS STUDY 2011 NATIONAL SMALL BUSINESS STUDY The National Cyber Security Alliance has conducted a new study with Symantec to analyze cyber security practices, behaviors and perceptions of small businesses throughout

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information