Sure, firewalls and other security appliances and technology provide value to the organization’s information security efforts.  But let’s not forget what the United States Department of Defense considers the “best bang for the buck,” security awareness training (SAT).  SAT should be designed to deliver the appropriate message for each type of employee (technology worker, manager, executive, etc…) and focus on improving staff awareness, knowledge and understanding.  ISO17799 News reported some time ago that most security breaches occur at the ground floor level, through employees making errors or inadvertently revealing information.  Therefore focusing on the high-tech threats is likely less valuable than what might be called common sense security or what some consider the “Human Firewall.”   So as important as it is to defend against the seemingly endless malware, denial of service, and other internet bound threats; remember, our knowledge workers need to understand and carry out their role in protecting the critical business assets they work with each day.  In the end, reducing risk from technology will come from a combination of administrative, technical, and physical controls.  How much of each, however, will be influenced heavily by your own industry and business.

Today’s highly fluid business environments are constantly adapting automation and technology into their environments. The ability to efficiently and securely meet the demands of the business is becoming multifaceted and more complex as newly emerging threats are being discovered each day. Answering the question “Are my business systems secured?” is a simple evaluation of risk.

How do you evaluate risk?

Each business will have a different risk tolerance level. However, the fundamental approach to understanding, evaluating, and controlling your risks follow these basic steps:

1) Identify and prioritize your systems or assets
2) Figure threats against the system
3) Discover deficiencies or vulnerabilities in the system
4) Evaluate the system’s current protection measures
5) Close or reduce the gap between vulnerabilities and protection
6) Accept or transfer any remaining risk

Your business systems are now secured to your risk tolerance.