Practices to help you become more secure
Information security is crucial to ensuring that your company, your employees and your customers are protected against the internal and external threats that exist today. Threats such as employee theft of crucial customer contract information, Internet hackers, viruses that can delete your hard drive, spyware that can steal information off your computers without your knowledge, and even social engineering hackers that obtain information about your systems by posing to be a trusted source can all jeopardize your data.
How are your customer and sales information protected? Who within your company can access this information? Can anyone in the company print a year-to-date sales history on a customer? If you are connected to the Internet, are you protected from the thousands of viruses that can wipe out your computer system? Are your employees aware that they should never give out their password, not even to an IT employee? The internal and external threats are all around us. These threats are real, and all businesses, regardless of size, should be concerned and practice some form of computer security.
At this stage in the game, most medium to large companies have tackled enterprise-level security, but what can or should the small business be doing to protect itself? I find a lot of small business owners asking the same question: “I don’t know a thing about computer security—where do I start?” A consultant or a knowledgeable information systems person is always your best bet, but there are some things you can do yourself if these resources are not readily available or you feel it’s just not worth the investment. Below is a series of steps or “toolkit” to help you get started in the right direction.
Make Security a Company Initiative
Realize and make the issue of security known and important from the top down. As a business owner or manager, you must first acknowledge that computer data security is a problem and make it a company issue. Doing so will instill the importance of security from you to your managers and to the employees. This comes about by talking to your people about security, writing policy, and by educating yourself and everyone around you about the many threats that exist.
Create a Computer Security Policy
The policy will help to establish the guidelines for each employee on the do’s and don’ts of using the computer. This is done by creating a written “computer usage or acceptable policy” where it is mandatory for every employee to read and sign the policy. It will also serve to reinforce your position on the importance of computer security. To assist you in the creation of a policy, use the following link (http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf) or Google the words “computer acceptable use policy” and you will find a host of information to help you get started.
Educate and Inform Yourself and Your Employees
Oftentimes it is hard for people to understand why you want them to do something unless you explain the reason behind your logic. The best way to do this is to educate your employees on the many and real threats posed today and how they can help. Listed in the sidebar are some great Web sites you can use to help build both your knowledge and your employees’ knowledge about security.
Know What Your Employees Are Doing
Examine how employees access information and what information they can or need to access on a daily basis. Look closely and you’ll be surprised what you find out. It’s possible that everyone in the office has access to payroll information, but it’s slipped under the radar. Does a front counter person need access to sales history information? Some companies have tightened down their access to critical information and don’t even allow salespeople total access to historical sales information. You should establish and chart what is right for your business. Establish rules for who has access to particular areas of data and make sure you have the capability to lock others out who shouldn’t have access.
Use Available Security Features
Once you have decided on access rules, implement them using your software’s security features. Most operating systems and programs have security features built in that will allow you to control access. For example, make sure each user has a unique username and password and specific access to only those programs or data they need to do their job. This is standard with most software today, but it’s important to take full advantage of these features. Don’t assign one login for everyone to use that can access all of the company’s computer resources.
Protect Yourself from the Internet
If your computers have access to the Internet—whether it be for browsing or e-mail—make sure you have the following safeguards in place. Without these protections, you leave yourself open and exposed to the world:
Firewall — A firewall can be software or a hardware device that serves as sentry guard or first line of defense against hackers.
Virus, Spam and Spyware Protection — Such protection is relatively inexpensive and will protect each computer from malicious programs that seek to alter your systems or steal your data. Companies such as Symantec or McAfee can provide you with a software firewall, virus, spam and spyware protection.
Operating System Patches — Keep operating system patches up to date. Most companies such as Microsoft and Symantec provide daily updates and patches that can be set to automatically update your computers.
|Meet the Author
Chris Dominiak is vice chair of GAWDA’s Management Information Committee and manager of information services & technologies for Norco, located in Boise, Idaho, and on the Web at www.norco-inc.com.