07/ 31/ 2006
by Marcia Passos Duffy
When you look at your company's resources, you will find information ranked right up there as a top asset. Chances are most of your company's sensitive information, including files on products, customers, suppliers and employees, are now kept digitally. So just like your other business assets, you need to take steps to protect information from unauthorized access and even theft.
The goal of information technology security is to create measures that eliminate or reduce threats of theft or unauthorized access to a minimal level. Nothing is 100 percent foolproof, but here are seven steps that can help protect your critical information technology system and avert possible breaches that can spell disaster to your business' integrity and competitive edge.
Step 1: Become aware.
As a business owner, you need to be aware of how information security can be breached. Those who steal—whether it is money, products or information—can be very clever in their methods, so you need to stay one step ahead of them to prevent a theft or unauthorized access from happening. Technology is changing all the time, and it has become easy to steal vast amounts of information quickly and inexpensively. Anyone with minimal technical know-how, for example, can buy a $20 memory stick and download critical files from your computer systems—which can be equivalent to dozens of filing cabinets—and simply walk out the door. You need to be keenly aware that the information that used to be difficult to steal without detection is now fairly easy.
Also, be aware of the statistics of computer crime and damage. According to DataPro Research, the common types of computer crime are money theft (44 percent), intentional damage to software (16 percent), theft of information (16 percent), alteration of data (12 percent), theft of services (10 percent) and trespass (2 percent).
Step 2: Know what kind of information must be protected and from whom.
You need to protect any kind of word processing document, e-mails, financial information, business plans, employee information, earnings, payroll, customer files (such as what they buy and how much they spend) and suppliers. If any of this information were to be stolen, become corrupted or even disappear, what would be the consequences to your company? Would your business fail? Could your company still function? These are questions you must ask in order to pinpoint what information is most vital to your company's existence.
You also need to be aware of who wants to steal that information. While the threat of outside hackers going into sensitive files is very real, studies show that the biggest threat actually comes from employees of the company. Be particularly careful of employees who are laid off or dismissed and may attempt to take critical information with them.
Step 3: Make sure all your computers are up-to-date.
New viruses and worms are introduced to the Internet every day. If your employees go online on a daily basis, they are being exposed to these threats, which can shut down your entire computer system and even wipe out your data. One simple way to avoid this problem is to make sure all your computers and software are up-to-date with the latest patches, virus management downloads, firewalls and spam management. This can be done automatically through subscriptions and services.
Step 4: Educate users about policies and procedures.
Make sure your employees read and understand your company's policies and procedures in regards to IT security—that is, what is acceptable and not acceptable. For example, are they allowed to install applications? What Web sites are they not allowed to visit? What can and can't be downloaded from the Internet? This needs to be clarified in writing, with the ramifications of violating these policies clearly stated. If you don't have an IT policies and procedures manual, it's a good idea to incorporate these rules into your employee handbook as soon as possible.
Step 5: Verify.
Next, you need to make sure that the IT policies and procedures are not being violated. You don't need to create a police-state mentality that will alienate your employees, but periodically monitor what users are doing—and alert yourself to potential security violations, such as anyone downloading or saving big files (there are services available that can do this for you). While large companies with very sensitive information, such as banks, use these monitors on a daily basis, your company may not require such stringent monitoring and may want to monitor once a quarter, for example.
Step 6: Know there is an inconvenience factor of a secure system.
Tight IT security usually means user inconvenience. For example, requiring periodic password changes, such as monthly changes, can be inconvenient, but users need to be aware of what can happen if they don't do this. You, as the business owner, need to enforce these kinds of policies in a friendly but firm way, so employees understand that this is for the good of the company (and maybe even their jobs).
Step 7: Have a disaster recovery plan of action.
You must have a written disaster plan in case the unthinkable happens, and information is stolen or your data is wiped out. This plan should include a way to retrieve lost information (through backup discs or hard copies) and a strategy to communicate with employees, customers and vendors about the theft or computer crash. Make sure that you have computer backups (that have been tested). Store these files and disks off your site. Fires and floods have been known to happen and will not only damage your computer system but all your backups.
