If this first week of 2009 is any indication for the rest of the year, we are in for a wild ride. I regularly touch base with each of our clients to ask the tough questions so I know when things are going good or bad. The economy is not doing anyone any favors right now, and fighting risk is becoming a do or die situation.

There is always the exception to the rule. Forrester sees spending

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=212700661&subSection=Security+administration/management

Albeit the trend may be for businesses to say they are going to do what is necessary to mitigate the future threats, my discussions have been a bit different, leading me to believe that there is some discrepancies between what they are asking and what clients are spilling to us.

The tough conversations are still ahead of us with the year being so fresh still. Malware trends are on the rise, breaches last year were at an all time high, and cyber criminals are in the shadows just waiting for their chance. But, fear, uncertainty, and doubt are no way to plan for technology. You see it in every marketing document, the doom and gloom will cause you havoc if you do not buy this product type of message. We do not pay attention to that; it simply does not solve any issues, and just makes for more tension between security and the business office.

Our focus should be on what is going to make the best returns on investment and minimizes the big risks, and that is without breaking the bank. Making the case for what risks you may be most vulnerable to takes time to research. Audits, pen tests, reports, these all play into things. Once those are taken in consideration, however, now the choice is how to move things around so you can afford to save your job and keep your data the safest it can be.

End user training will be an important goal for every company in 2009. The more your staff knows how important the threat is, the more they will invest their time in not making mistakes. Invest in your staff like you buy products to minimize risk, focus on what is most important, and give it as much time as you can. You can afford to spend a few hours sitting down and getting the paranoia level up a little, I think everyone would appreciate being let in on just how bad it is out there. It could pay off huge in the long run, costs very little, and it is something your staff can take home and use as a skill for the rest of their days.

Monitoring the insider threat will also pay off for everyone this year. Layoffs are going to happen, people will be upset, and rumors will fly around any office quickly. If they can take a piece of your company with them, sell it off, or just plain cause damage then it is a risk worth considering. How are you keeping watch of the flock? Can you know immediately if something is leaving your company? Is something somewhere they should not be in your network?

Data is 2009's gold mine, and making money off of it in a tough economy will be the main goal of any criminal. Tighten up processes, learn where the doors are being open, and teach those who are privy to sensitive data to protect it at all costs. Working on a computer that is NOT yours is a privilege, you can do whatever you want at home, but taking the risks inside our walls is not an option. If you are going to tighten your belts, mine as well tighten up everything, right.