Integris Credit Union in Prince George, B.C., has a challenge. Its six IT staffers serve 185 full-time employees, plus part-timers, and they manage everything from PCs to databases to security.
While keeping data secure - whether from threats or carelessness - is key for financial enterprises, it's difficult for smaller outfits like Integris. "It's kind of crazy," said Bryan Simon, the credit union's senior systems and security specialist. "We're running with a pretty small team compared with what we're tasked with."
His situation is typical for small businesses. While security is every bit as important to smaller operations as it is to larger enterprises, the small guys often lack the resources to dedicate someone to the task full-time. Instead, they often rely on staff who can spare a few moments, and who may or may not be aware of every security protocol. While Mr. Simon understands his portfolio well, he can't do it all with the resources he has.
He's not alone. In a survey conducted for IT security giant McAfee Inc., three-quarters of mid-market companies worldwide said they lacked dedicated security staff, even though a serious data breach could put them out of business.
In fact, 58 per cent of respondents said they devoted less than three hours a week to security, said Cari Jaquet, marketing director for global integrated programs at McAfee. More than 80 per cent of respondents said they were concerned about both inadvertent and malicious data loss.
To help businesses mitigate the risk, McAfee has developed a vendor-neutral program called Secure in 15. The premise: in fifteen minutes a day, a small or medium business can maintain adequate security without having a full-time staffer assigned.
IT staffers can use the free, Web-based calendar, designed by McAfee with a part-time security person in mind, to help them organize and monitor tools and procedures at their company. For McAfee and its partners it's a tool to help them open a dialogue about security with their customers, Ms Jaquet said.
Mr. Simon is implementing the program at Integris. He likes the tool because it recommends concrete steps to follow and is not vendor-specific. "It's like a gesture of goodwill in security," he said.
The program provides a Web-based calendar and checklists that break security tasks into 15-minute daily chunks.
For example, on Monday, five minutes go to adjusting threat-protection policies, one minute to identifying non-compliant systems, one minute to updating those systems, five minutes to monitoring compliance policies and three minutes to identifying questionable events on the intrusion detection system.
Tuesday's agenda includes two minutes of checking for virus and malware infections, two minutes of identifying emerging threats, three minutes of cleaning infected systems, five minutes of monitoring compliance policies, three minutes of creating trusted users and three minutes of monitoring websites visited by employees.
Later in the week, policy violations are addressed, rogue systems identified and mail systems dealt with.
The incremental process makes sense to Mr. Simon. "It's easier to hang up clothes every day rather than letting them accumulate," he said. With defined tasks, he's comfortable assigning even junior administrators to the security detail.
But security is not just about tools; it's about user awareness as well. And, Mr. Simon said, awareness is a two-way street: IT also needs to be aware of the users' business processes. "If you implement a security control that prevents people from doing their jobs, they will find a way around it," he said. "It's important to build rapport with end users and encourage them to come and ask questions."
With that rapport, he said, he can find out about potential security risks from users and can suggest changes to mitigate them. "It makes them feel like part of the solution," he said. "I would hate to know that something happened that could have been prevented."