Thursday, January 8, 2009

Small and medium sized business will spend more on security in '09

In light of my post yesterday regarding the focus a business places on different components of an identity theft and privacy plan I was heartened to read this today.

A Forrester Research report finds that small and medium-sized businesses will spend more on security in 2009, and will zero in on data protection, reports SearchCIO. Forrester surveyed the business and IT leaders of 1,206 SMBs--businesses with fewer than 1,000 employees--and 942 enterprise companies, finding that the number one priority for both groups in the year ahead will be the protection of data assets.

The report goes on to say..

Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.

For me though this was the most puzzling part of this piece...

One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report.
"There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said.
Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have.
"If it was a matter of just getting a tool to streamline
onboarding, they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.

A high caliber Identity Theft Risk trainer can partner with the HR management to get all of the employees through a comprehensive awareness training in 1 hour or less in group settings. Once that is done a schedule of update sessions will keep the company current with the changing legislation on an as needed basis. The FACTA Red flags legislation calls for staff training of the company identity theft policy as a compliance piece. This comes under the heading of company policy and needs to be part of not only the onboarding of new hires but also for existing staff.
That really is the essence of good ongoing education for employees. Not only does the company get the advantage of expert trainers to keep everyone current in protecting the company's data assets but also having a better prepared staff who will act in a more proactive manner both on the job and with their personal identity. A significant area of concern when an individual is experiencing an identity theft episode is being distracted on the job, taking time off, and being under extra stress at work.
In any case it seems business is moving (somewhat) in the right direction.


Melanie said...

Training is such a good idea...and as long as there's a budget for this general issue anyway, spending some of it on company training could be invaluable.

Thanks for posting this...good info.

George said...

Great post, since there are far more SMBs than larger (e.g., Fortune 500) companies.

I really hope that SMBs do spend more on data security in 2009... those that haven't gone out of business due to this recession. And, for those that go out of business, I hope that they destroy sensitive data properly.