Find a security policy for a large-scale company and compare it to that of a smaller company. How would employee education and transparency be a factor in overall security policy success?

 

Small businesses may no longer assume a "security by obscurity" stance. The past several years have witnessed a sharp uptick in cyberattacks against SMBs. The simple reasoning is that criminals discovered many small companies are easy targets, often lacking resources and know-how for protecting valuable business data.

This has led security-minded small companies to adopt information security postures similar to those found in the enterprise space. At a recent keynote, Department of Commerce's National Institute of Standards and Technology director Willie E. May explained, "We see companies like Intel, Chevron, Walgreens, Pepco, Apple, QVC, and the Bank of America talking about how they are using the Framework [for Improving Critical Infrastructure Cybersecurity] or planning to incorporate it. But we also see 50-person firms, like Silver Star Communications in rural Wyoming, describing how the Framework has helped them to be more thoughtful and wiser managers of their cyber risks."

More than anything else, user behavior indicates the effectiveness of information security policies for a business of any size. NeweggBusiness findings show SMBs are taking stronger security postures than their larger counterparts in regard to certain behaviors such as sharing logon information.

It is undeniable that small companies have a resource disadvantage for creating and enforcing a strong information security posture. However, a smaller-sized company tends be more agile with its IT infrastructure. This manifests in smaller companies having a better likelihood of deploying software patches in a timely manner; by the same token, large companies check network logs more often and are more likely to run risk assessments.

Educated employees and transperancy helps in cybersecurity success.

The first step is implementing a cybersecurity strategy that includes all stakeholders across the organization. From IT, security, and DevOps to all business units including financing to marketing to HR is necessary for creating the type of transparency needed to protect organizations going forward as attacks continue to evolve.

Then IT needs to work hand-in-hand with business unit owners to run regular workshops to educate the the importnace of security across the organization.

Third, the board needs to be able to ask business risk related questions that get answers quickly from the security organization. They need to share a common language to have discussions of risk that affect the wellbeing of the enterprise.

Fourth, security needs to start focusing on a hybrid world that isn't just about protecting the perimeter. We need to have open discussions about identity, endpoint and application security. The perimeter can no longer be the focus, and the responsibility for that should be secured by the cloud vendors.

And the fifth point is that the thought of security needs be removed from the realm of secrecy. Security is now a standard part of operating an organization and needs to be discussed openly as it is a critical success factor of ever operation.

Please see the attached file for the complete solution