Six core elements for a secure business

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://smallbusiness.yahoo.com/advisor/post/119949302597/six-core-elements-for-a-secure-business

Say “security” to most business people and they’ll come back with something
about anti-virus software or internet firewalls. Sure, those are critical
pieces of a solid security system, but if you want to create a really
effective security structure for your business you need to step back and
start with a fundamental review of core concepts.

For instance, a recent report from the U.S. Small Business Administration
notes that starting a new business may require as much as $80,000 of
startup funding to get off the ground. That’s a considerable sum, and it
represents financial investment, purchase of equipment, hiring personnel,
acquiring raw materials, software, telecommunications costs, inventory,
building a web site, designing a logo, and so on. Protecting this
complicated collection of assets requires more than a firewall.

The up-side is that building an appropriate security plan can provide
critical stability for your new business during the always-challenging
start-up process no matter what kind of business you’ve got in mind.

Here are six places to start:

1. Begin With The Basics

Before you can figure out how to best protect your business assets you need
to decide what those assets are. What are you actually protecting? Is it a
database of customer information—social security numbers, credit card
information, home addresses? Is it a room full of expensive chip-making
machines? Is it a fleet of traveling laptops or touchscreen tablets full of
proprietary product specifications? Is it boxes of industrial diamonds or
bins of finished jewel-bearing widgets?

You also need to ask yourself fundamental questions about the character of
your company: Every time an employee logs into the main server from a
remote location or laptop, security is potentially imperiled. How important
is it to maintain a secure remote data pipeline for your staffers? How
important is it for you to log in remotely to keep an eye on sales and
other business activities?

Finally, how far do you want to go? There are ways to maintain near-perfect
security, but they come at a price. Finding the balance between a
comfortable and trusting work environment and a perfectly secure protocol
is an important part of your job as owner. You don’t want your employees to
feel they’re working in a police state. Or do you?

2. Write It Down

Now that you’ve thought out the details of your security policy, it’s time
to write it down. If it isn’t written down it doesn’t exist.

Be specific. What kinds of background checks will you require for new
employees? Who’s responsible for tracking raw materials coming in and
finished products shipping out? Who will train new hires in security
protocols? How will you secure data on laptops and tablets that travel
between work and home? Who’s in charge of updating business software and
anti-virus utilities to make sure your employees are running the latest
versions? Do you need security cameras? How many? Where is security video
information stored, and for how long? How easy will it be for employees to
gain access to the premises on weekends?

When you think you’re done, go back and compare your written policy with
your original list of business assets. Does the security policy protect
those assets effectively? If not, rewrite the rules, or lose them entirely.

One last point: If nobody reads the security policy it won’t do you any
good. Publish the written policy. Send it out via email. Print it out and
put a copy where anyone can read it. Require employees to sign a document
stating that they’ve received it and read it. If you’re really serious you
can even email short security quizzes to employees to make sure they
actually understand the policy—or play Security Jeopardy at your next staff
meeting.

Does this sound obsessive? Think about that $80,000 of startup capital
you’re protecting.

3. Where It’s At

Focusing on your physical workplace will help determine the most
appropriate security and automation solutions.

For example, if you’re starting a clothing store in a mall you’ll probably
want to take precautions against shoplifters—like security cameras, or a
guard at the exit. A medical office might want to protect sensitive patient
information with multiple log-in safeties and a wall of high-end locks and
fingerprint readers to secure medications.

Think about lighting, fences, security guards, and an alarm system. Give
some thought to where to place your security cameras to make sure you can
identify individuals as they move though high-security areas. A good key
card system can make a record of comings and goings, and you can set it up
to alert you or your security staff if unauthorized people enter the office
during off-hours.

If your workplace includes digital information storage it’s likely to come
under attack as hackers and malware grow more sophisticated. According to a
recent report from the National Cyber Security Alliance (as noted in PC
World) one in five small businesses falls victim to cybercrime each year.
And some 60 percent of these firms go out of business within six months of
the attack.

Best-practice security protocols for protecting digital data are not hard
to find, but they need to be customized for your business. Focus on using
and changing passwords, maintaining up-to-date virus protection, encrypting
data, fully erasing old hard drives, and physically securing laptops and
tablets as needed.

4. Be Afraid. Be Very Afraid

Paranoia isn’t necessarily a bad thing. Most data losses in small
businesses happen when employees (bosses too!) leave their laptops in the
taxi. Or click on the “cool link” in an email that seems to come from their
best friend. Scammers, hackers, phishers and other bad internet characters
have gotten really good at tricking you into clicking on the wrong
thing—thereby releasing all manner of worms, viruses and malware into your
business network. Or stealing your data. Or both.

Any serious security system includes training your employees to be very,
very suspicious of every single email they get. Unless you are really
certain you know the source of an email, and why it’s been sent to you, you
should never, never click on an attached executable or internet link. The
same goes for browsing the web on a company computer. One careless click
can do tremendous damage.

As for losing laptops (and it happens more often than you think) it’s not a
bad idea to encrypt sensitive information. And back it up! In general,
every time you carry data (or hardware) outside the office firewall you
should be prepared for a worst-case scenario. Paranoia isn’t necessarily a
bad thing.

5. Hire the Right People

Your employees can be your best security enforcers—or your worst enemies.
Hire carefully, check references, and make sure they know the security
policy before they start work. Explain to new hires how theft and/or data
loss can affect their personal financial expectations. (Lost profits due to
security issues mean fewer raises.)

Employees should be trained to spot suspicious behavior. They need to know
what the protocol is for reporting it, and how the information will be used.

6. Make Sure It’s Working

Congratulations! You have devised the world’s best security protocol—but is
it working? You (or your designated Security Czar) needs to remain
constantly, permanently focused on that protocol’s performance. Scan
security videos, analyze threats, evaluate employee observance of security
rules, track customer complaints, update the policy as needed.

It’s just as true now as it ever was: Eternal vigilance is the price of
liberty. And business security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!