- About
Company Profile - White Paper
IT Security Articles - why focus on
Security?
Security is Important - Services
How Can We Help
You? - Contact
Contact details
Why Focus on Security?
Most of the companies that we have worked for have opted to use security because of the frequency of hacking. Whether by employees, professional hackers or script kiddies (low-level hackers who use programs developed by others to attack computer systems-computer). Most people only wake up when it is too late, which is unfortunately part of human nature. We don't want to think of ourselves and our interests as vulnerable, but in this sector of business, we are. Although there are strict regulations for many sectors, companies prefer to ignore them and take the chance of being prosecuted.
1How court sees IT security issues
From the legal point of view, there are a few basic rules which will determine if the company being sued is liable or not.
One of these basic rules is "the prudent man rule", in which the court will try to understand if the company or individual was acting as a responsible entity. For example, if a database was hacked and a clients personal data was stolen, the court will attempt to understand if and how the company tried to protect its clients data in a prudently responsible way. Another way for the court to determine liability is by checking if the company exercised due diligence and care. If we go back to the previous example, the court will try to uncover if the company exercised due diligence and researched what the risks were related to the database information, and what actions it took to protect it. Of course, there are cases in which there is no possible action which could be taken to reduce the risks, but one definitely needs to do one's research first to make sure the results are optimal.
After the due diligence phase, one can take the following actions (due care):
- Reduce the risk by placing a countermeasure.
- Accept the risk by doing nothing (usually one will take this course of action if the countermeasure costs more then the risk being exploited).
- Sharing the risk using a third party, such as an insurance company
- Reject the risk by not exercising due diligence, and ignore what the potential consequences will be. Unfortunately, this is the attitude of most companies in dealing with matters related to security.
2We don't know means we don't care
Most company owners don't know about security regulations, which is completely negligent. Ignorance of the law is not a defense. The regulations in place still need to be obeyed and acted upon, as any company is susceptible to being prosecuted by them as they would be by any other law which we live by.
3$$$ security is too expensive $$$
Many times we have heard that security is too expensive, and therefore the company should wait until it has more money to deal with security.
From my experience, a company can actually obtain security without spending too much money. It all depends on how the company executives view security, and how the security consultant delivers it.
For example, there are many ways to protect servers. Obtaining IPS (Intrusion-prevention system), IDS (Intrusion detection system), Application Firewall devices, expensive Firewall and more will cost 100K a year easily. If a company does not have the money, it can rely on great open source projects like Linux server, Linux firewall, mod security, snort and other great projects that can provide adequate security while costing nothing (except manpower) . If the company can't hire more employees to do security, then the existing man power will simply need to add a few auditing and maintenance tasks to their list of responsibilities.
The idea is to employ security because you care for your clients and your employees, they are the main reason to obtain security!