Best practice for data protection

Any security system that claims that it will protect 100% of your data 100% of the time is lying.   This is not a little white lie, this is blatant and at times just a ploy to get you to spend money on their products.   The only way to achieve that level of protecting is to not allow access to the data at any level.   The problem with that is that the secured data is now useless to the business.   So to allow functionality in the business you need to access the stored information, to achieve that required functionality you now have to manage the access correctly.   To manage the data you need to be able to access it and because no system is 100% secure you are now back to square one.

To any small and medium business and not for profit organisation getting the protection of your business data correct is a major headache.   Juggling access, confidentiality, and integrity is a full time job.   In some businesses there are well defined systems but in others anything goes.   The additional stress of profit margins, revenue and just basically keeping your head above water can be an all consuming process for management and staff.   With that, data security goes out the window.

A process and procedure within the business, that can be applied to all critical data, is pretty important.   A system that is easy to administer and manage is equally important.   These 2 factors, management and usability, are critical for anyone trying to manage and secure data within an SME.

The use of best practice will make your business more manageable as well as improving the protection factor of the data.   Here are 5 best practices that a small and medium business and not for profit organisation can apply to its data that will improve the security level of that data and which will have little effect on the businesses bottom line.

Do A Risk Assessment

All small and medium business and not for profit organisation need to conduct a risk assessment on their data, on their systems and on their business requirements.   The risk assessment will take into account what the data is, where it is stored and who has access to it.   Once you have defined this then your will need to apply what level of risk the data requires to ensure that it is effectively protected.

Personal information, payment systems and information pertaining to them and Intellectual Property (IP) are critical business components that need a higher level of protection.   This protection drives the three components of security – accessibility, integrity and confidentiality.   For an SME accessibility is the key.   You may ask why, but in an SME, people wear multiple hats, the business roles are often filled with one person doing all of the jobs.

Larger organisations have specific people doing specific jobs, there is a separation between each role within a company, this improves accessibility control.   Just in the accounts section there would be accounts in, accounts out, account managers, accounts management and CFO’s.   The separation is based on the people in the role, in an SME all of those roles could fall to one person.   So a method of restriction based on business roles would not work comfortably within the business.

Manage the protection correctly

All cyber security protection comes with risk, the risk that the technology is not the top of the line, the risk that the training of your staff has not included essential components, the risk that your staff do not have the correct access and security to do their job.   These are all components of making sure that the security fits the business requirements.

Once a risk analysis has been completed, the management has to ensure that the correct level of protection is incorporated into the business at all levels.

You, as a business owner or manager, has to ensure that the lowlies person in your business has full access to the information that they require to do their job without compromising other areas of the business. For instance – a receptionist does not need access to the accounts or HR data within the business, but they will need access to the CRM modules of your data system.   They need access to the CRM to do their job but having access to the rest could cause an internal breach.

Educate your People

One of the larges problems in cyber security is making sure that your staff and management understand what you, the owner or the one in charge, are trying to achieve.   That is a protection level of their personal information as well as your clients and customer information.   One of the largest problems that any organisation encounters is explaining why they do not have access to other areas of the business.   Why certain information is secured and harder to access.

Maybe it is human nature to be inquisitive, but within any organisation there will be secrets that have to be kept from others in the business, from the outside world or from other sections of the organisation.   This “compartmentalised security” allows the organisation to keep the confidentiality of the business.   Confidentiality of the information is also needed to ensure that some level of “need to know” is enforced.

The more staff that you have the more compartmentalised your security configuration can be, it is very hard to restrict access to smaller business because of the number of hats that each person wears.

Use the right technology and systems in the right place.

The number of times I have come across technology on a site being used inappropriately or incorrectly is numerous.   Applying one level,of technology that compromises another is not the correct implementation of a system.   This usually comes about due to purchasing a system that will only do a part of what it was purchased to do.   Furthermore this problem usually arises when a really good salesman is involved.

If you purchase a system that is a firewall, but you also want a VPN endpoint, end point protection and internal web filtering then you need to look at the systems that will fit your purchasing criteria, a cheap and nasty modem router from an electronics store will not fulfil the role.

Think Outside the box

One of the most interesting solutions for data protection are ones that have come about due to totally unrelated use of systems or management to achieve the level of protection.   These solutions have the added benefit of allowing for better utilisation of the systems that they are protecting.

I can think of numerous ways to compartmentalise your data to such a level, where it is well protected (the integrity of the data) but the business would loose functionality (data access), which creates bigger problems.

Finally and not a part of the 5 best practices is common sense.   If its too good to be true, if the sales hype is over the top and if there is no substance to the claims then its is probably untrue.   You need to look at any claims with a level of scepticism.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.