The technology landscape in smaller and medium sized businesses (SMBs) and the resources available to tackle Internet malware (malicious software) and online security scams are likely to be radically different from larger enterprises. However, a security breach is far more likely to have a devastating effect on the revenues of a SMB.
Fortunately there are some simple but effective steps that you can take to ensure that you keep your valuable business assets and customer data secure.
Securing your business from Internet malware and scams is a relatively simple matter, but it does require some forethought and a small investment of money and time. When thinking about online security for your company, consider the age-old medical adage: “prevention is better than cure.”
The essential steps to take can be broken down into three categories: Technology, Process and Policy.
Technology: Today most companies give reasonable consideration to the technology. They put in place solutions to protect their notebook computers, workstations and servers, like AVG Internet Security Business Edition. Some are also becoming aware of the need to protect the smartphones and tablets in use as company and staff owned devices within the business. They use solutions like AVG Mobilation to protect Android mobile devices.
Process: This is about the actionable steps you and your staff need to take on a day-to-day basis to ensure that company’s information assets are protected. It covers things like: staff security training; regular backups; data recovery tests; changing passwords; data storage and usage guidelines; dealing with security breaches etc. Most businesses cover these things reasonably well, even though they might not be done using all of the risk management and mitigation processes defined by worldwide information security standards such as ISO27001. However, as a small business you are unlikely to have the time and resources to address such a heavyweight suite of measures.
Policy: Most SMBs do a reasonable job of putting in place a security policy within their Staff Handbook. They often download appropriate templates from the Internet and adapt them as required. They’ll cover: the use of company vs. personal devices; use of software applications; acceptable use of company resources; password policy; reporting of breaches etc.
Sounds simple and easy doesn’t it? Well, it is if you do it right. But you can have the greatest technology, processes and policies in the world, but they won’t work unless staff buy in and are prepared to do it for themselves.
Thus you need to:
- Educate staff on why it is the way it is.
- Be able to stand-up for questioning, justify any policy requirements and win their agreement and compliance.
- Encourage them to come forward at any time and raise with you any issues, concerns or misunderstandings, they have.
- Be prepared to adapt and change as required, because to keep your security measures appropriate in a forever changing device and threat landscape, your technology, process and procedure solutions have to be a living framework.
If you don’t get it right, your staff will reject your policy controls with “the silent veto”. Or as the Gn-Xs and Gen-Ys might respond, “whatever”. Their non-compliance will eventually result in a security breach — sooner, rather than later. So make sure your security breach contingency plans are carefully considered, just in case.
Please read the excellent “AVG Small Business Security Guide: Securing your start-up or small business” which presents some simple but effective steps that you can take, to ensure that you keep your valuable business assets and customer data secure.
Lloyd Borrett, Security Evangelist, AVG (AU/NZ)