1) Get the advice of outside agencies if you can't afford top-notch security experts.
2) Having an independent audit agency do vulnerability testing can go a long way.
3) Invest in IDS hardware but outsource IDS monitoring to companies who have the expertise. This way you will be able to understand the significance of what the alarms mean and respond accordingly.
Warren R. Bituin, director, Technology Risk Consulting, Arthur Andersen, says:
1) Perform a security risk assessment of your existing technology environment.
2) Include the four risk management areas in this assessment. The four areas are: policies and procedures, deployment techniques, technical solutions and monitoring process.
3) Perform enterprisewide security management to ensure that all technology components -- physical, network, platform, databases, business systems -- are properly considered.
Security policies and procedures remain at the top spot among the key concerns that companies need to address.
"The company's security policy is the key to their success. It should be the standard operating instruction for the company with regard to security operations. It should spell out what can and can't be done by users and list how and what services should be available for their use," Conorich said.
It is simply a document that will be the basis for your security implementations and covers the who, what, when and where of access to your IT resources, explained Dela Cruz.
Bituin said such a policy must be developed, approved by top management and disseminated to all concerned employees. Dela Cruz added that its crafting should involve the every segment of the organization, including engineering, human resources, accounting and auditing departments.
For Jeffery Sy, country manager of Trend Micro Inc., a security policy should also outline management support, user training and cost-effective security measures.
"The deployment of security solutions should also be managed. This should include change control over technical architecture, the design, implementation, and administration of the security function and user administration, education and training," said Bituin.
FIREWALLS ARE NOT ENOUGH
The experts said that security is a process, not a goal. So when it comes to implementing the security technologies or solutions, companies should not rely on one technology alone to provide any significant comfort. Firewalls are not enough.
Dela Cruz noted that most companies become complacent once firewalls, access control, authentication and encryption are implemented.
"Most people feel that these are enough. They give them a false sense of security. What they don't know is that there are other factors that can cause security breaches which are beyond the capabilities of firewalls," he said.