A Security Blanket for Your Business

It seems as if every day a new horror story hits the news about a company losing control of its information or its computer systems. While most incidents we read about concern large companies, small businesses are equally vulnerable — perhaps even more so, since many smaller companies don’t have full-time information technology security staff.  Having the right information technology security is all about ensuring the availability, integrity and confidentiality of corporate data. Below is a checklist of what you need to do to secure your most valuable asset: your company’s information.

Communicate Your Commitment to Security

Having a written corporate IT security policy that communicates management’s commitment to security is crucial but often overlooked.  The policy should be brief, it should reflect management’s support of the IT security initiative, and it should describe the roles and responsibilities of management, users and IT administrators.

Document IT Security Policies and Procedures

All technology should be backed by a written IT policy that stipulates proper use and the penalties for abuse. Documenting policies and procedures also assists in knowledge transfer for new or transferred employees.

Among the topics that should be addressed in policies and procedures are adding and removing users from the system; when and how to remove data from the system; acceptable equipment use (is it OK to load personal software on your company issued laptop?); acceptable e-mail, instant messaging and Internet usage policies; and policies for distribution of data (what is considered confidential, public or for internal use only?)

Identify Critical Data

All data is not equally important to an organization and should not be treated the same. Speak with employees about the importance of their data. Using a simple ranking system of low, medium and high can help identify how critical data is to each business unit; appropriate security measures can then be implemented at different levels. For example, a system that stores customer credit card numbers should have controls in place to ensure that only authorized personnel can view them. These security controls could be anything from ensuring proper application permissions to encrypting the data or even using authentication such as a one-time password device.

Control Access

You must decide who can access different levels of data. Access control should start with providing employees with a unique user ID and the minimum access required to fulfill their job. There’s no reason to give employees write access to files that they only need to read. Make sure to change employees’ access as they change roles within your company (access may need to be granted and/or revoked) and to remove access completely for people who have left your company.

Back Up Your Data

Is it possible to say this too often? Your business continuity may well depend on whether you have the proper backup policies and procedures in place. If all other controls fail, the data stored on last night’s tape (or your offsite backup) could be your last resort. It’s also important to conduct regular restore tests to ensure that the data can actually be recovered. Too many times IT departments take their backup and restore capabilities for granted, only to find that a simple misconfiguration has left the backed-up data unrecoverable.

Strengthen Your Firewall

Firewalls are the last line of defense between your network and the wild and woolly Internet.  Luckily, most IT departments have implemented some type of firewall technology. Today’s firewall hardware can protect against phishing, spyware and virus scanning and can perform deep “packet inspection.” So while you may already have a firewall in place, it may be time to review its capabilities and add an extra layer of protection.