Why Data Security is Everyone's Responsibility
Originally published: 08.01.13 by Dan Adams
6 Steps for Improving Your Business Technology Security
Small to mid-size business owners need to understand that their businesses are directly in the crosshairs of cybercriminals. Attacks on small to mid-size businesses have doubled in the past two years, with no end in sight. Information raiders are no longer focused on scoring the “mother lode.” They know it is much easier to skim from the vast majority: those who are blissfully unaware they are even at risk. And thinking that your IT guy/gal has this under control is a mistake. Your IT professional is just one of many people in your organization. They cannot handle security threats alone.
So, whose responsibility is it to secure a company’s information? It’s everyone’s. Think of it this way: if a flu epidemic was affecting a school population, would the school nurse be the only one tasked to eradicate the problem? No, school administrators would educate the masses and get everyone involved. The same approach applies to your company’s security risks.
Business security risk is definitely on the minds of IT leaders everywhere these days. In a recent Gartner survey, CIOs and other IT executives indicated they are carving out resources in an effort to increase their technology security spending in 2013. Of particular concern to small to mid-size business owners, Gartner Research Director Lawrence Pingree said, “Attackers are moving down the business stack to smaller companies and midmarket where there is often better opportunity for their success.” Pingree continued, “This has driven smaller entities that don’t have a large budget to outsource their security needs.”
While I agree with Mr. Pingree’s comment about attackers infiltrating smaller targets, I must challenge his implication that a large budget is necessary to handle IT security internally. It is too easy to argue that security problems would be solved if you had a big enough budget or someone else to do it. In truth, IT security is not a big cost, it is a companywide problem, and it takes leadership stepping up and setting clear expectations to eradicate many of the shortfalls.
In that spirit, here are six steps you can take right now to improve your business’s technology security:
1. Create, distribute and teach everyone about basic security requirements
You need to establish computer usage and technology security policies. These documents list out what is, and is not, appropriate. Share the understanding that company resources are company resources and, as such, need to be safeguarded. They are for company use, and employees need to respect what these resources were purchased to do.
Yes, some will complain that it is very big brother like or that you don’t trust them. I suggest sharing this small bit of information with them to help them see the larger picture. Explain that your company allows you to help individuals and families live their lifestyle and that you take that very seriously. You would hate to suffer a business setback that would jeopardize the company and, thus, your employees’ jobs. Ask your employees to help you do all they can to protect the future of your organization because it is their future. (Email me for a template of this discussion)
2. Do not allow simple passwords!
It is staggering how often I walk into an office and see a yellow sticky note with the network passwords either under the keyboard, in the top desk drawer or, in some of the most egregious cases, affixed to the computer monitor for everyone to see. I am also amazed at the simplicity of so many of the passwords used. Sorry, but passwords are not going away anytime soon. As a human in today’s modern society, you need to accept that passwords are part of life. Require that staff use strong passwords and adhere to company password change policy. Change your passwords to a secure length and complexity, and do not leave them in any obvious or visible locations.
3. Keep personal data private
The 2011 Data Privacy and Security Act changed the way companies protect important documents. Any company that deals with personal information that could trigger identity theft must secure that information. For paper documents, most companies have a series of secure filing cabinets in the HR office or in a manager’s office. But what about poor network security on files, or sensitive data that is left open too long on a computer screen, allowing others to see? A friend of mine recently went to see her doctor, and the record of the previous patient was on the screen for her to view while she waited. What was worse, she knew the patient and now knows more about his medical history than she should.
4. Keep Spam in the can
Allowing unfiltered email into your world will eventually infect your network. Spamming skills are advancing rapidly. (Remember this is their livelihood – they work hard at this.) We have all seen e-mails that look exactly like the real bank, mail vendor or credit card company they are copying. Often, it’s easy to mistake them for the real thing. If your spam filtration system is inadequate, more of your time is wasted managing the mess, and each e-mail increases the risk of disclosing sensitive information or spreading an infection to the rest of the network and to your list of beloved contacts. Teach your employees the basics of what to look for. Some phishing/bad email will get through even with filtration, and a little knowledge will go a long way.
5. Close back doors
Many companies have remote connection systems, and employees leave the programs with login credentials in the configuration on their desktop. That way, they can easily just click on the program and get into company resources. Easy, right? But, if your remote systems do not have great security, a hacker can easily access a home or hotel Wi-Fi network and then, bam! click on the “company network remote desktop or VPN” and the unwanted guest is granted approved access. Do not leave these connections with credentials stored in them.
6. Mind where you step and what you bring home with you
Part of your company computer usage policy should explain what is appropriate to spend company time and resources visiting and what is not. Many problems stem from employees visiting illicit sites, shopping sites and software sites on company time, using company computers. Nothing is free, and many supposed “free” sites have malware attached. Stick to business appropriate sites.
Everyone in your organization needs to be held accountable for what they do, or don’t do, when it comes to keeping your company and its intellectual property secure. If you take the time to talk to your team, many deficits can be identified and corrected. However, you probably have no desire to be a technology geek “when you grow up.” Soliciting the help of an experienced external resource to identify the risks and exposures that are time bombs to your business might be a good idea.
Articles by Dan Adams
Disaster Recovery: Business Continuity Plans
Business leaders understand they are dependent on systems. They realize if something fails they need to be able to get their systems back up.
Why Data Security is Everyone's Responsibility
Learn six steps you can take right now to protect your business from cyber criminals.