How secure is your data when it leaves your control?

At some time in a businesses life there is a need for some level of external involvement.   Most small and medium businesses and not for profit organisation have access to accountants, solicitors, engineers when they need it.   Sometimes you have low level interaction with these types of business but what I am talking about today is when you have a requirement for your critical information to leave your security envelope and control.   This information may involve how you do business, your clients information or your intellectual property.

Any business may need to employ external contractors to do a job, get a job done or as part of a conglomerate, where information has to pass backwards and forwards between all parties.   Sometimes you will have to justify how you will protect the other parties information but as a business I would be more concerned in how they are going to protect yours.   If your information has to move from a highly secure environment to one where you have no control over it then this is what you need to know.

Here are 10 questions to ask before employing someone outside your organisation who needs access to your critical business information.

  1. Does management, owner and / or the executive committee enforce an internal culture of security?
  2. Do they use secure email, remote access, and servers with 2 factor security tokens or another form of dual-factor authentication to protect critical information?
  3. Do they restrict access to critical information using complex passwords on workstations and servers and do they restrict access for IT personnel with highly privileged credentials.
  4. Do they log access to its critical business files, so all access to information is monitored?
  5. Do they conduct regular security training?
  6. Are they associated with countries with state-sponsored espionage?
  7. Do they grant users access to data on the network or is access granted on a need-to-know basis?
  8. Do they have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?
  9. Do they employ highly trained security personnel who are skilled in sophisticated incident response?
  10. Do they have an security incident response plan and external incident response providers?

Before you think about employing an external company for your business make sure that they are going to manage your Intellectual Property, client list and critical business information with the same level of security that you do.

The bad guys and your enemies are not stupid.    External access to your information can be a threat to the security of your critical business information.   By asking these questions before you sign that contract can go a long way to protecting your business assets.  Just remember, A little social engineering can get a large amount of information on where you do business and who you do business with.   Combine that with lax external data security then you could lose your business edge.    It is important to protect your business information even when you do not have control over those that are using it.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.