InfoSec Reviews – Keeping Your Data Secure

Book Title: Keeping Your Data Secure

Subtitle: 101 Tips You Must Know

Author: Stephen Gibbs

Publisher: Snappy Titles

Date of Publishing: 2011

ISBN(13): 9780956816504

Price (UK&US price – full price, not discounted price): £13.99UK / $24.99 US

URL of Publisher Site: Snappy Titles

URL of Amazon UK web page: Keeping Your Data Secure: 101 Tips You Must Know

URL of Amazon US web page:

This book bills itself as “101 Tips You Must Know” and it will come as no surprise that these are quite simply the distilled basics of good practice around maintaining secure data, systems and network. The target audience is Management, or IT Administration, in organisations with fewer than 250 employees, including businesses, schools, clubs and charities. Particularly, at the smaller end of this size spectrum, the IT Admin role is often not a formal role, and the person doing it is frequently what Gibbs describes as a “well-meaning part-timer”, i.e. the employee who happens to know most about IT and hence picks up the IT jobs, with probably no knowledge of basic IT security. It is these kinds of organisation that often have little understanding of the risks their systems and data are exposed to via the Internet, as well as other means, or of how to mitigate these risks. If you run a small business, or are the IT person in one (or maybe just have a computer with personal data and an Internet connection) this book is an excellent starting point to find out about general security principles and begin to get on the right track. It is a lovely slim volume, 150 pages in all, of which the tips themselves cover 81 pages. At £13.99 (less than 14 pence per tip) this is great value for anyone in the previously mentioned groups. Every one of these tips has the potential to save a small business a fortune and in some cases even possibly save the whole business. The 101 tips themselves are separated into three sections: ‘Operating Systems and Productivity Systems’, ‘Securing the Network’, ‘Backing Up’, and ‘Managing Your Users’. Gibbs does a good job of achieving a style that is both informal and engaging without being overly chatty or condescending.  The language is clear and about as non-technical as is possible to get on these topics. Essentially, each tip is a paragraph or two focusing on a single action that the small-organisation IT person or business director needs to know about for securing their business’s systems, data and reputation. The purpose is to encourage (indeed scare) the reader into taking positive action without it being the actual implementation manual. The reader will need to follow up, either with further reading or possibly hiring a professional security guy, but in either case this book provides very clear focus on where to start so that time and money can be well spent. Each tip is rated on a scale of 1-3 in two dimensions:  stars for risk mitigation, and dollars for cost of implementation. This helps the reader identify the greatest value / lowest cost items first. Sure, you could argue over some of the categorisation, or whether some tips should be split or others combined. However, to do so would miss the point, which is that there are lots of small businesses and organisations out there who don’t know the basics of IT security; and there are some basic actions that anyone with any sort of IT system must take, with others they probably ought to take if they can afford it. The tips are spread across the various ratings in a way that differentiates them simply and understandably. My only criticism of this is that the tips could have been ordered by cost/benefit in the first place, or this shown in a separate table; but given the readability and general pithiness of the book, this is a minor point. Part 1 provides a whistle-stop tour of the critical items to be aware of in managing OS and common software. This includes making sure that versions, licensing and patching are managed, software firewalls and “anti-everything” are in place, encryption, anti-theft technology, and destruction of hard drives and so on are all given consideration. Part 2, ‘Securing the network’ covers the importance of firewalls, as well as implementation of basic good practice to reduce threats through VPNs, DHCP, modems and wireless. Securing the hosts file, checking logs and centralising patch management are among other topics brought to light for the security amateur. Part 3, ‘Backing Up’, takes the reader through tips on the importance of backing up and the high-level choices (tape, disk, cloud). This covers tape usage, backup storage, minimizing volume, and the need for encryption and restoration procedures. Part 4, ‘Managing Users’, includes tips, such as restricting access permissions, managing hires and fires, authentication and strong credentials, as well as the importance of an acceptable use policy and employee training. Part 5, ‘Resources’, contains detail on following up the tips themselves, mostly in the form of links to further information. This includes all sorts, from how to access a machine’s BIOS, links to news stories on deliberate hacking or security breaches. Although this does involve flicking to this section if you want to drill into a tip, it does have the advantage of keeping the tips themselves uncluttered and easy to comprehend. The Glossary in Part 6 does a good job of providing pithy explanations aimed at the books’ target audience.

Whilst certainly not a book which will provide much for the seasoned IT Security Professional, or most ‘big-organisation’ security people, this book is most definitely one to give nightmares to – as well as call to action – the Director or IT Admin staff in the small to medium sized business. This really is the best kind of dumbing down. Snappy Titles is set to follow this book with another volume later this year entitled, ‘Keeping Your Data Secure II: The Human Factor’ which I trust will be every bit as good as this volume. Overall, a must-buy for anyone in a small to medium sized business that doesn’t have any IT security.

This is a terrific little book for the Director or IT person in a small business or similar organisation. A collection of easy-to-understand basic security actions, indicating their costs and benefits, it is worth every penny to help start addressing the non-IT professional’s “unknown unknowns” around IT security.

Marks: 5 out of 5