Those areas are:
Technology – the hardware and software components of doing YOUR business. What you use and how you use it depends on your business but all of these components have to be configured correctly, updated regularly and monitored.
Management – how do you control the business with policies, procedures and processes, how do you train your Staff and how do you monitor and report on all of the business and security components within your infrastructure.
Adaptability – what happens to your business when something does go wrong and can you benefit from a change in the market place. This also includes BC, DR and Business resilience.
Compliance – does your business comply with all of the internal and external compliance requirements, are you reporting to the right people at the correct time.
These four facets of business security create a tightly protected and adaptable business environment that will, in the end, protect your data, your staff, your clients and your infrastructure from both internal and external attack.
It allows you to monitor what is happening, sometimes in real time, and make business decisions based on facts.
So how do you get to this level?
The items below are the start of our business security framework and will help to evaluate where your business sits in its security goals.
Have you identified all of the digital security risks within your business?
Most small and medium businesses and not for profit organisations have never taken the time to ascertain the data risks associated within the business.
They have not documented the basics, what and where their critical data is located, how do they protect it and how to mitigate the risk of something happening to it.
This also includes the cost of downtime, legal and reputation based risks.
This risk analysis then becomes the basis for your Business Continuity Plan.
Have you done the basics?
At a very basic level there are a number of things that can be simply implemented that will automatically lift your business security profile.
Create a password policy, no more password for full access to systems.
Make sure you have good anti- virus, anti-spyware and anti-malware applications installed and they are updated regularly.
Make sure all systems are updated and patched regularly, this includes operating systems, applications and BIOS level requirements.
Have you changed all of your default access to firewalls, switches, modems and applications.
Have you created a disaster recovery, business continuity and business resilience plan?
To make your business more adaptable you need to be able to look at the internal and external risks and make sure that if something happens that your business will not suffer, but if it does suffer that there will be minimal interruption to your business procedures.
Are you doing a backup, how often and to where?
Does the backup include all,of your business data and in the event of an emergency can you restore from it.
Do you have a disaster recovery plan?
Has it been tested?
Test it regularly.
Do you have a business continuity plan?
Do you have systematic security training for all staff?
One of the hardest parts of the security world is keeping up to date with all of the changes in technology and also exposure.
Not only do you need to keep abreast of these changes but you also need to help your staff understand your expectations.
To do this you need to have some level of training.
Do you have some level of security training for your staff.
Are your keeping them informed on how to protect not only your business information but how they can help protect themselves.
Are your mobile systems safe?
Wireless is a tricky beast, it is one of those can’t live with it and can’t live without it problems.
When set up correctly it can ensure your staff are more productive, when set up incorrectly it is one of the biggest security leaks available.
There are a number of ways to create a better wireless environment, always use a pass phrase, use the wireless as a separate network so that it does not touch the corporate network.
Always use the highest encryption settings available.
The BYOD world has exploded onto the business environment and it has added more stress to business ICT infrastructure.
This explosion has created more attack vectors for people trying to access your business information inappropriately.
The additional strain comes in several directions.
Your staff will want immediate access to your information from the time they walk in the door.
They also require access when they are on the road or from home.
Decisions have to be made to ensure that information is secure in transit as well as ensuring that a lost device will not compromise your data.
Setting up RDP for all corporate data access ensures that all data is securely located inside the secure environment.
If you are using wireless or VPN connections are they secure, are they free of leaks and are you only allowing authorised connections to your business.
Are you using some level or remote desktop appliance to ensure all remote information is not stored on your external devices.
Lost and stolen hardware?
One of the biggest problems for the BYOD generation is what happens when one of the devices is stolen, lost or misplaced.
All types of smart appliances need three things in place – the capability to wipe the whole machine remotely, encryption of all corporate data at the hard drive level and no automatic saving of passwords in applications.
So do your external laptops, smart phones and tablets have the remote wipe capability, is all data encrypted on the laptops hard drives, and have you enforced policies on them all.
Separate business from family?
Another problem in the business world at present is getting the office / home balance correct.
If your organisation is supplying all of the business components to your staff then you have the capability to ensure that nothing, apart from business, is done on them.
In the BYOD world where the device is used for both office and personal use, you need to have some level of separation.
This includes using home computers accessing business data need to have a basic level of protection.
Privacy and security systems on access?
Trust is probably one of the biggest emotions in today’s business world.
You have to build trust so that your customers have an expectation of privacy, enough for them to do business with you.
To do this you have to put in place and enforce certain Digital Security practices.
These include checks on payment gateways – is it a reputable organisation.
Is your web site, mail server and internet access protected by an SSL certificate and is that from a reputable supplier?
If you are taking credit card or personal information is it securely protected, are there internal checks in place to ensure that the database or storage location cannot be compromised.
If you don’t have then expertise on site get it from outsourcing, managed services, or professional support companies.
Small and medium business and not for profit organisation are often caught short on the required Digital Security expertise to protect themselves correctly.
If you are in this position then I recommend that you talk to someone who can help.
A Digital Security expert can be expensive but the loss of revenue, reputation and trust will be so much more expensive in the long run if your business does become a security statistic.
There you have it, a brief description on how small and medium business and not for profit organisations can secure their business and protect their data, staff and customers.
Please download the attached PDF (Quick Business Security Checklist) for a quick check list to see at what level your business Digital Security is placed.
There is no obligations and it may help management and ICT staff to get a better understanding on your Digital Security requirements and what you need to do to better protect your organisation
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. Rapid Restart Appliance Creator. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.