Managing IT security can be more than a full-time job, but Bryan Simon has learned that not everyone can give it those kinds of hours.
That’s one of the reasons why Simon, senior security systems and security specialist at Integris Credit Union in Prince George, B.C., has adopted a more piecemeal approach to security which breaks major tasks into individual parts that can be handled for short periods each day. That can make it much less overwhelming for small businesses with limited resources, he says.
“It comes back to security awareness training and making sure everyone is aware they’re all part of the solution,” he says. “It’s not just a to-do list. The idea is that if you follow these processes on a regular basis, it will help improve your security posture.”
Simon was recently reminded of this small-steps approach when he attended Focus, the annual conference for users of McAfee Inc.’s security products earlier this year in Las Vegas, where executives discussed the firm’s “secure in 15” methodology. Developed specifically for mid-sized companies, McAfee is guiding customers through “secure in 15” via a Web site filled with a daily practice guide, e-mail newsletter updates and video case studies of their peers in the mid-market space.
The approach resonated clearly with Simon, who joined the credit union about two years ago and oversees security of seven branches in Northern B.C. run by a staff of less than 200 people. “What I realized is that all along I developed my own concepts that were very close,” he says. “It’s pretty easy when you’re short-staffed to get lost (in terms of security). You need to make sure you’re looking at it.”
For Integris, being “secure in 15” might mean using that time Monday to check and see if there were any major outbreaks in the organization. On another day, it might dedicate those 15 minutes to making sure all the company’s security products are up to the latest virus signature file (DAT) revisions, he says.
“You have to talk to your administrators and explain why it’s important,” he adds. “Then you can get a coffee and move on with your day and not be so concerned that your security products aren’t configured properly.”
For Doug Cooke, director of sales engineering at McAfee, the secure in 15 concept has been a way to turn user education into increased marketing opportunities.
“It’s all part of the relationship we’re trying to build,” he says. “I’d say when we’re talking to companies who may not be customers we mention the program to them. It’s a way that we show them the value of the product set.”
That’s because attaining the right level of security is not just adhering to a set of 15-minute tips, says Cooke, but investing in the right kind of tools for monitoring and defending IT equipment. About six months ago, for example, Simon moved Integris off of an old security platform to McAfee’s ePolicy Orchestrator (ePO), which centralizes the management of software that monitors and secures network endpoints, content and systems that handle compliance with government or industry regulations.
“The reporting capabilities are outstanding,” he says. “You can customize it to any level, deployment, or policies. You can create dashboards so executives can log in. That can be really good when you’re trying to show your return on investment and say, ‘Here’s what we blocked.’”
Cooke says McAfee, which was acquired this year by Intel Corp, plans to make ePO central for as many products as it can. The company is finishing off integration of mail system data, and will be moving on to more network-level components. In some cases he says McAfee will provide “visibility, if not integration.” In other words, ePO might allow a dashboard so businesses can see clearly how Web filtering tools, for instance, are functioning and what’s going on behind the firewall.
“There is some element of, ‘Let’s not do it unless it makes sense,’” Cooke adds. “You’re probably not going to want to have all of your firewall logs accessible in ePO. Maybe while a firewall administrator is working on it, you’ll want to look at a set of inbound traffic in a log, but not everything.”
Simon’s advice for his peers in Canadian small businesses is to put a product like ePO in place and just watch it before tweaking and fiddling with it. “Take the firewall and look at it in monitoring mode – just get a feel for the kind of traffic that your endpoints are seeing,” he suggests. “You can have a better idea of what’s legitimate and what’s not.”
