It seems as if every day a new horror story hits the news about a company losing control of its information or its computer systems. While most incidents we read about concern large companies, small businesses are equally vulnerable — perhaps even more so, since many smaller companies don’t have full-time information technology security staff. Having the right information technology security is all about ensuring the availability, integrity and confidentiality of corporate data. Below is a checklist of what you need to do to secure your most valuable asset: your company’s information.
Communicate Your Commitment to Security
Having a written corporate IT security policy that communicates management’s commitment to security is crucial but often overlooked. The policy should be brief, it should reflect management’s support of the IT security initiative, and it should describe the roles and responsibilities of management, users and IT administrators.
Document IT Security Policies and Procedures
All technology should be backed by a written IT policy that stipulates proper use and the penalties for abuse. Documenting policies and procedures also assists in knowledge transfer for new or transferred employees.
Among the topics that should be addressed in policies and procedures are adding and removing users from the system; when and how to remove data from the system; acceptable equipment use (is it OK to load personal software on your company issued laptop?); acceptable e-mail, instant messaging and Internet usage policies; and policies for distribution of data (what is considered confidential, public or for internal use only?)
Identify Critical Data
All data is not equally important to an organization and should not be treated the same. Speak with employees about the importance of their data. Using a simple ranking system of low, medium and high can help identify how critical data is to each business unit; appropriate security measures can then be implemented at different levels. For example, a system that stores customer credit card numbers should have controls in place to ensure that only authorized personnel can view them. These security controls could be anything from ensuring proper application permissions to encrypting the data or even using authentication such as a one-time password device.
You must decide who can access different levels of data. Access control should start with providing employees with a unique user ID and the minimum access required to fulfill their job. There’s no reason to give employees write access to files that they only need to read. Make sure to change employees’ access as they change roles within your company (access may need to be granted and/or revoked) and to remove access completely for people who have left your company.
Back Up Your Data
Is it possible to say this too often? Your business continuity may well depend on whether you have the proper backup policies and procedures in place. If all other controls fail, the data stored on last night’s tape (or your offsite backup) could be your last resort. It’s also important to conduct regular restore tests to ensure that the data can actually be recovered. Too many times IT departments take their backup and restore capabilities for granted, only to find that a simple misconfiguration has left the backed-up data unrecoverable.
Strengthen Your Firewall
Firewalls are the last line of defense between your network and the wild and woolly Internet. Luckily, most IT departments have implemented some type of firewall technology. Today’s firewall hardware can protect against phishing, spyware and virus scanning and can perform deep “packet inspection.” So while you may already have a firewall in place, it may be time to review its capabilities and add an extra layer of protection. Also, schedule regular vulnerability scans to get a better idea of your security weaknesses.
Update Your Antivirus Protection
Antivirus protection has been a staple of security since the early ’90s. Due to the incredible number of new viruses circulating on the Internet, having a centrally managed antivirus application is an absolute necessity. Many of the newer antivirus applications now include spyware and phishing scanning, too. Use Content Filtering (Spam/Web) Over 40% of all e-mail is now considered spam. And beyond the costs of lost productivity, allowing employees to view inappropriate material in the office can lead to harassment litigation from other employees. Filtering e-mail (and the Web) is a necessity.
Make Sure Your Wireless Is Secure