BreachExchange mailing list archives
Six core elements for a secure business
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 27 May 2015 20:00:51 -0600
https://smallbusiness.yahoo.com/advisor/post/119949302597/six-core-elements-for-a-secure-business Say “security” to most business people and they’ll come back with something about anti-virus software or internet firewalls. Sure, those are critical pieces of a solid security system, but if you want to create a really effective security structure for your business you need to step back and start with a fundamental review of core concepts. For instance, a recent report from the U.S. Small Business Administration notes that starting a new business may require as much as $80,000 of startup funding to get off the ground. That’s a considerable sum, and it represents financial investment, purchase of equipment, hiring personnel, acquiring raw materials, software, telecommunications costs, inventory, building a web site, designing a logo, and so on. Protecting this complicated collection of assets requires more than a firewall. The up-side is that building an appropriate security plan can provide critical stability for your new business during the always-challenging start-up process no matter what kind of business you’ve got in mind. Here are six places to start: 1. Begin With The Basics Before you can figure out how to best protect your business assets you need to decide what those assets are. What are you actually protecting? Is it a database of customer information—social security numbers, credit card information, home addresses? Is it a room full of expensive chip-making machines? Is it a fleet of traveling laptops or touchscreen tablets full of proprietary product specifications? Is it boxes of industrial diamonds or bins of finished jewel-bearing widgets? You also need to ask yourself fundamental questions about the character of your company: Every time an employee logs into the main server from a remote location or laptop, security is potentially imperiled. How important is it to maintain a secure remote data pipeline for your staffers? How important is it for you to log in remotely to keep an eye on sales and other business activities? Finally, how far do you want to go? There are ways to maintain near-perfect security, but they come at a price. Finding the balance between a comfortable and trusting work environment and a perfectly secure protocol is an important part of your job as owner. You don’t want your employees to feel they’re working in a police state. Or do you? 2. Write It Down Now that you’ve thought out the details of your security policy, it’s time to write it down. If it isn’t written down it doesn’t exist. Be specific. What kinds of background checks will you require for new employees? Who’s responsible for tracking raw materials coming in and finished products shipping out? Who will train new hires in security protocols? How will you secure data on laptops and tablets that travel between work and home? Who’s in charge of updating business software and anti-virus utilities to make sure your employees are running the latest versions? Do you need security cameras? How many? Where is security video information stored, and for how long? How easy will it be for employees to gain access to the premises on weekends? When you think you’re done, go back and compare your written policy with your original list of business assets. Does the security policy protect those assets effectively? If not, rewrite the rules, or lose them entirely. One last point: If nobody reads the security policy it won’t do you any good. Publish the written policy. Send it out via email. Print it out and put a copy where anyone can read it. Require employees to sign a document stating that they’ve received it and read it. If you’re really serious you can even email short security quizzes to employees to make sure they actually understand the policy—or play Security Jeopardy at your next staff meeting. Does this sound obsessive? Think about that $80,000 of startup capital you’re protecting. 3. Where It’s At Focusing on your physical workplace will help determine the most appropriate security and automation solutions. For example, if you’re starting a clothing store in a mall you’ll probably want to take precautions against shoplifters—like security cameras, or a guard at the exit. A medical office might want to protect sensitive patient information with multiple log-in safeties and a wall of high-end locks and fingerprint readers to secure medications. Think about lighting, fences, security guards, and an alarm system. Give some thought to where to place your security cameras to make sure you can identify individuals as they move though high-security areas. A good key card system can make a record of comings and goings, and you can set it up to alert you or your security staff if unauthorized people enter the office during off-hours. If your workplace includes digital information storage it’s likely to come under attack as hackers and malware grow more sophisticated. According to a recent report from the National Cyber Security Alliance (as noted in PC World) one in five small businesses falls victim to cybercrime each year. And some 60 percent of these firms go out of business within six months of the attack. Best-practice security protocols for protecting digital data are not hard to find, but they need to be customized for your business. Focus on using and changing passwords, maintaining up-to-date virus protection, encrypting data, fully erasing old hard drives, and physically securing laptops and tablets as needed. 4. Be Afraid. Be Very Afraid Paranoia isn’t necessarily a bad thing. Most data losses in small businesses happen when employees (bosses too!) leave their laptops in the taxi. Or click on the “cool link” in an email that seems to come from their best friend. Scammers, hackers, phishers and other bad internet characters have gotten really good at tricking you into clicking on the wrong thing—thereby releasing all manner of worms, viruses and malware into your business network. Or stealing your data. Or both. Any serious security system includes training your employees to be very, very suspicious of every single email they get. Unless you are really certain you know the source of an email, and why it’s been sent to you, you should never, never click on an attached executable or internet link. The same goes for browsing the web on a company computer. One careless click can do tremendous damage. As for losing laptops (and it happens more often than you think) it’s not a bad idea to encrypt sensitive information. And back it up! In general, every time you carry data (or hardware) outside the office firewall you should be prepared for a worst-case scenario. Paranoia isn’t necessarily a bad thing. 5. Hire the Right People Your employees can be your best security enforcers—or your worst enemies. Hire carefully, check references, and make sure they know the security policy before they start work. Explain to new hires how theft and/or data loss can affect their personal financial expectations. (Lost profits due to security issues mean fewer raises.) Employees should be trained to spot suspicious behavior. They need to know what the protocol is for reporting it, and how the information will be used. 6. Make Sure It’s Working Congratulations! You have devised the world’s best security protocol—but is it working? You (or your designated Security Czar) needs to remain constantly, permanently focused on that protocol’s performance. Scan security videos, analyze threats, evaluate employee observance of security rules, track customer complaints, update the policy as needed. It’s just as true now as it ever was: Eternal vigilance is the price of liberty. And business security.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Six core elements for a secure business Audrey McNeil (Jun 03)