For many small and medium businesses and not for profit organisations (SME’s), the security of information, systems and networks is not a high priority. But for their clients, employees and suppliers, it may be the very highest priority.
Larger businesses, enterprises and government departments all over the world have been actively pursuing information security, with significant resources devoted to it, including advanced technology, staff training and education. SME’s can’t afford to fall behind and lose business to competitors who protect their clients’ information more carefully than they do. It is therefore essential that all SME’s look to securing the information under their control.
Why should an SME be concerned with information security and the threat of cyber crime?
Your clients and customers have an expectation that their sensitive data will be respected and given adequate protection. The employees of a SME also have the expectation that their personal information will be protected.
Whether you’re an SME, large business or government department, your information is legally required to be secured on-site and in transit to protect its confidentiality and integrity. Access to the data has to be balanced with security requirements, in order to allow people who need the information (but only those people) to access it.
Yes, there’s a cost to protecting your business data: Hardware and software cost money, while management controls, including policy and procedures, take up employee time. But there are much greater costs associated with not protecting an SME’s critical data. Unfortunately, SME’s have a nasty tendency to think only about the balance-sheet items that are right in front of their faces. They avoid putting adequate protective systems in place for sensitive business data—the old “it won’t happen to me” mentality.
Managers, Owners or C-level executives who are mired in a cost avoidance strategy need to consider the costs that are not immediately obvious. Just look at the notification rules in the US, where an SME is required to notify all persons whose data has been exposed to a security breach (whether it’s caused by a hacker, malicious code or employee releasing information). I suppose that we in Australia are little luckier because we do not have as strict compliance requirements, but they are getting there. Each notification (of a customer who might have been exposed) can cost up to $130.00. Multiply this by the size of your customer database—$130 x 500 = $65,000. Even for a small company, it adds up fast. This figure does not include reduced revenue caused by a loss of trust and respect. For an SME, these are vital.
At this point, you may be feeling anxious. After all, an SME does not have the budget to implement a world-class information security program. But it is possible to build a level of protection that will fit within your resources, while also protecting your critical business information. In practice, this means a security framework that ensures the malicious code will not take hold, or that the hacker will try somewhere else that is not as hard to access.
There are a number of steps you must take to create a secure business environment. They include:
- Protect vital business information from damage or loss from viruses, spyware and malware, using end point protection, best practice and security updates.
- Protect your internet connection with a firewall and an application level firewall.
- Activate firewalls on all computers, servers, routers and business systems.
- Patch all operating systems and applications, and upgrade to the newest version as soon as it is practicable.
- Back up all critical business information, preferably to an offsite location.
- Control physical access to the premises and the servers.
- Secure wireless access points and VPN user access.
- Train and educate your staff in security practices.
- Use individual user accounts for all staff for access to the computers, as well as all application logins.
- Limit access to data to the level that the user requires.
But while you can write all policies you want, you can’t be everywhere at once ensuring that people follow them. So the next question is, how do you do that? The answer is education: Training your staff to recognise the possible dangers they may encounter.
- Have your staff keep an eye out for emails, instant messages and social media messages requesting sensitive information, or containing web links. Define what they should do about it.
- Keep your staff informed, and watch out for popups and other hacker tricks.
- Have your staff make sure that not only business computers, but also home computers, are secure. This is essential for banking and online activities that involve sensitive information.
- Make sure to check references when hiring new people.
- Make sure staff understands the dangers of careless surfing and downloading software from dubious sites.
- Have a security expert available whom you can contact, and who can train and educate your staff.
- Get rid of old computers, servers, CDs, DVDs, USB drives and anything else that may contain electronic data—securely and, if possible, greenly.
- Beware of social engineering! (See my article “social engineering a major attack vector for cyber crime” for more on this.)
If you implement the best practices described in this article, you will protect your business, but you’ll also be able to leverage the security as a marketing product. You’ll be able to tell customers—accurately—that the privacy and security of their information is your highest priority.