Over 80% of small-medium sized business consider themselves non-targets for cyber-attacks. However, 60% of all targeted attacks are towards small-medium sized organizations. The capabilities of hackers have risen dramatically in the last two years. Organizations of all sizes need a security plan. Security by obscurity is no longer a viable option. Adopt a proven strategy to protect vital corporate assets.
2. Express Info-Tech Research Group 22
Info-Tech Research Group
ANALYST PERSPECTIVE
The days of purely high-profile hacking are over.
Smaller enterprises are now at the forefront of targeted
attacks. Smaller organizations still have valuable data that
threat actors want and that can be more easily compromised
due to less resources dedicated towards security. Often,
small enterprises are compromised for the purpose of being
a hopping point to a larger target, generating complex levels
of security considerations and legal liabilities.
Just because you don’t see headline news about small
organizations being breached doesn’t mean it isn’t
happening. The reality is that small enterprises are now
faced with the same security concerns and requirements as
large organizations, but with limited resources. Small
enterprises need to know what matters to them even more
than large organizations so that they can build a right-sized
security program.
Wesley McPherson
Info-Tech’s Security, Risk, and Compliance Practice
The VIP Boardroom at Info-Tech
Research Group’s Toronto Office
3. Express Info-Tech Research Group 33
Security programs are a
MUST-HAVE, not a nice-to-have
WHY?
The volume, intelligence, and
complexity of threats has been
and will be increasing.
New Attack Types
• Targeted malware
• Zero-day vulnerability exploits
• Advanced persistent threats (APTs)
Increasing Threat Actors
• Commodification of hacking
techniques
• Conventional threats adopting
hacking
• Increasing in number and
complexity
Changing Environments
• Mobile
• Cloud
• Big Data
• Internet of Things
23%of CIOs polled stated increasing
cybersecurity was the most significant
driver behind IT investments in 2015
(CIO, 2015).
of data breaches impact
small businesses.
(First Data, 2014)
90%
4. Express Info-Tech Research Group 44
MYTH
Cyber-attacks aren’t an issue for
small enterprises.
60%of all targeted attacks are towards small to
medium-sized organizations.
Source: Symantec, 2015.
82%of small to medium-sized businesses consider
themselves non-targets for cyber-attacks because
they have nothing worth stealing.
Source: London Chamber of Commerce and Industry, 2014.
AND YET
THE
UNFORTUNATE
REALITY
Cyber-attackers prefer
targeting smaller
enterprises because
they often have weak
security systems.
In a transaction- and data-heavy
society, nearly all organizations
have highly valuable and
sensitive data (contract
information, customer data,
payment information, etc.).
5. Express Info-Tech Research Group 55
Address foundational and baseline functions of security
Info-Tech’s Information Security Framework
= Foundational Security Components
Focus on components and
capabilities that will be the
most feasible and critical for
your organization.
Foundational components
include:
Response and recovery
capabilities
Prevention
Detection performance
Expand into governance to
address business awareness
of security and to incorporate a
security mindset into the
organizational culture.
Info-Tech
SE Perspective
6. Express Info-Tech Research Group 66
Be prepared for all types of incidents
Recognize a potential security incident.
Business decisions are a common source of IT expansion.
Unfortunately, these decisions are rarely done with IT or
Security consultation. Unexpected expansions cause more
expenses than expected, throwing off budget, resourcing, and
project plans.
Account for IT systems expansions
Addressing security concerns and requirements after the fact
impacts budgeting and resourcing. As an IT leader, try to be
involved whenever the discussion of IT initiatives is brought up.
Traditional security incidents
include malware detection, system
availability loss, or compromised
data.
It is not if a security incident will
happen, but when. Using risk
management to prepare for
multiple scenarios could be the
difference between business
closure and continuity.
Marketing moves customer
data to the cloud without
notifying Security and
engaging them while selecting
a vendor and migrating data
EXAMPLE The Security Implications
• Sensitive customer data was sitting in an
environment outside of the scope of the
organization’s security program.
• Unexpected security costs were incurred analyzing
the vendor after the fact and addressing concerns
related to on-premise to cloud data integrations.
7. Express Info-Tech Research Group 77
Allocated Resources
MitigationandControlExpenditure
Time
Security Incident
Reactive Mitigation
Posture
Proactive Mitigation
Posture
Take a proactive approach to managing security
BENEFIT
Proactive mitigation lowers overall
security costs over time.
Proactive Mitigation Posture
• Enables the team to learn from security
incidents and apply lessons to security
practices, increasing security strength.
• Entails pre-emptive “what-if” planning and
prevention actions.
• Is done to introduce more specific technology,
policies, and procedures that better protect
information at a lower cost.
Reactive Mitigation Posture
• Allows for security investments to occur, but does
not extensively consider past incidents and
incident analysis, keeping security strength
stagnant.
• Lacks the ability to recognize security incidents
before their occurrence.
• Involves little analysis of incidents.
Security incidents inevitably affect budget planning, regardless of posture. A proactive posture allows for
lessons learned that actually improve information security capabilities and cost measures over time.
8. Express Info-Tech Research Group 88
If you answered YES to
most of these questions,
keep reading this
blueprint.
If you answered NO to
question 4 or have
significant concerns with
your current security
capabilities, go to the Build
an Information Security
Strategy research.
Research Navigation
Info-Tech Research Group has two research reports related to
building an information security strategy. Use the questions
below to help steer you to the research project that best suits your
organization.
Is this research right for you?
1
Does your IT department consist of fewer than
15 full-time employees?
2
Does your organization have limited
resources for its security program?
3
Is your organization looking to build a lean
information security strategy?
4
Is your organization in a loosely/un-regulated
industry?
9. Express Info-Tech Research Group 99
Improve your ability to prevent security incidents and improve
protective practices by leveraging Info-Tech’s four-step approach.
Assess Security
Requirements
Determine
Current and
Target States
Develop
Improvement
Plans
Create and
Communicate
Your Roadmap
Info-Tech
Recommends
You will need to have a deep understanding of the business, even and
especially if your organization does not have an awareness or
understanding of information security.
Use the information and insight that you gather at the outset to drive your
project’s activities and enable you to build and implement a roadmap that best
maps to your business’s priorities and vulnerabilities.
10. Express Info-Tech Research Group 1010
Don’t just read it – do it!
Use this research to create the following key deliverables.
Program Roadmap
Scoped Initiatives
Security Strategy
• Plans for improving the performance of
foundational security functions.
• A vision for how to mature the organization’s
security program (estimated one- to three-year
trajectory).
WALK AWAY FROM THIS
PROJECT WITH:
Use this research to create the
following key deliverables:
Tactical guidance,
immediate support.
11. Express Info-Tech Research Group 1111
Use this research to build a security
strategy
Intended Audience
• IT departments with 15 or fewer full-time employees.
• Organizations that want to quickly assess and build a
security strategy focused on foundational capabilities.
Expected Benefits
• Completed security strategy documentation using
best-practice templates.
• Strong understanding of security issues and
requirements.
• Improved business awareness and understanding of
the importance of information security.
• Improved performance of critical security functions.
This Research Includes
• Guidance for analyzing and building security
capabilities.
• Directions that help to accelerate brainstorming,
analysis, and execution of security plans.
• Plans for improving the
performance of foundational
security functions.
• A vision for how to mature the
organization’s security
program (estimated one- to
three-year trajectory).
WALK AWAY FROM THIS
BLUEPRINT WITH:
Use the following tools and
templates:
Information Security Strategy and
Workbook Template
Security Pressure Posture and
Analysis Tool
Security Component Maturity Level
Descriptions
Information Security Program Gap
Analysis and Roadmap Tool
Project Charter and Status Update
Template
Information Security Strategy and
Roadmap Communication Deck
12. Express Info-Tech Research Group 1212
Want to learn more about this research?
Improve Information Security Practices
in the Small Enterprise
Info-Tech Research
Group’s advisory
services include a team
dedicated to Security,
Risk, and Compliance
Management
Experience of Info-Tech’s
security team
• Former CIOs and CISOs
• Security architects
Topics Covered
• Security strategy planning
• Data Classification
• Vulnerability Management
• Identity Management
• Endpoint Security
• Penetration Testing
• And many more…
13. Express Info-Tech Research Group 1313
Consulting
“Our team does not
have the time or the
knowledge to take this
project on. We need
assistance through the
entirety of this project.”
Guided
Implementation
“Our team knows that
we need to fix a
process, but we need
assistance to
determine where to
focus. Some check-ins
along the way would
help keep us on track.”
DIY
Toolkit
“Our team has already
made this critical
project a priority, and
we have the time and
capability, but some
guidance along the
way would be helpful.”
Workshop
“We need to hit the
ground running and
get this project kicked
off immediately. Our
team has the ability to
take this over once we
get a framework and
strategy in place.”
Info-Tech offers various levels of support to best suit an
organization’s IT needs
14. Express Info-Tech Research Group 1414
Info-Tech Research Group is an information
technology research and advisory firm that has been
working with clients to help them make strategic,
practical, and well-informed decisions and plans since
1997.
Info-Tech leverages the experience of its analysts and
over its 3,000 IT professional members to help build
practically oriented research that guides
organizations to learn from experiences of their peers
and best position their departments and empower
their organizations.
Info-Tech’s Mission
Help IT leaders and their teams:
• Systematically improve their core processes and
governance
• Successfully implement critical technology projects
Contact Us
London, Ontario, Canada
Corporate headquarters
602 Queens Avenue,
London, Ontario, N6B 1Y8
Toronto, Ontario, Canada
888 Yonge Street
Toronto, Ontario, M4W
Las Vegas, Nevada, USA
3960 Howard Hughes Parkway,
Suite 500
Las Vegas, Nevada 89169
Website:
Infotech.com
Phone:
North America: 1-888-670-8889
International: +1-519-432-3550
INFO-TECH
RESEARCH GROUP