As our members know well, small-to-medium sized businesses (SMB) can offer many advantages and attractive features, including more personalized service, easier access, better responsiveness, and greater reliability. However, along with these benefits come some challenges, especially regarding data security issues.
The challenge for a SMB is to provide the highest possible data security with fewer staff and smaller budgets, often with limited access to additional support resources that larger companies enjoy. But data security is achievable when the challenge is approached with skill, insight, and attention to a few key areas. Some of these are common sense data hygiene habits that everyone should know and practice; others are business-specific or are part of the new (and rapidly shifting) security landscape in an increasingly mobile world.
Here are eight key IT security questions every small-to-medium sized business should be able to answer.
- Who has physical access to your property, devices, and hard-copy data? Whether it’s approved employees, building maintenance staff, cleaning crews, or visitors, think about how you secure your premises and who has access to which parts of the business. Where is critical data stored and how is it monitored? Who can access sensitive areas and what are potential vulnerabilities?
- Is data reliably and regularly backed-up? Are back-up processes automated and routinely tested? Are backups located in a secure and separate location (either in the cloud or at another facility)? This is a basic security measure that every enterprise should have covered from Day One.
- Are basic security measures in place? This includes the rock-bottom must-haves of anti-malware, firewalls, encryption, and current updating. If your business has limited in-house expertise in these technologies, bring in reputable outside help. Don’t settle for lower-level coverage that would apply to a non-business individual or entity. Smaller businesses are especially vulnerable in these areas, so play it safe and establish professional-level review and support.
- Is hardware (computers, devices) up to date? If not, how are retired devices and old information dealt with? Is data from old hard drives reliably wiped and/or destroyed? Digital devices can quickly become obsolete these days, and replacement can be surprisingly frequent. Make sure that data contained in discarded devices is secure and accounted for. Be equally vigilant with hard-copy and paper-based data. Review, block out, and shred sensitive data contained in non-machine files.
- Are employees trained in security protocols for both email and online activity? Can they recognize and deal with front-line breaches including phishing queries, questionable email addresses and online URLs, and malware attachments? Are they aware of essential secure web-browsing techniques? You should also determine whether or not employee online activity will be monitored or tracked. Again, a smaller business may have unique vulnerabilities in this area that make it a more attractive target for cyber attacks. Review your processes and policies for employee training and awareness.
- Where is data located? Welcome to the new frontier in mobile and digital information! Which data is stored on individual computers? On servers? In the cloud? On mobile devices? These increasingly complex interactions pose a special challenge as smaller businesses grow and change, and requires both skilled technical coordination and policy review. Additionally, if your business is transitioning to greater device mobility, be aware of differences in how newer technologies interact with security requirements as opposed to older ones. If you’re too small to accommodate these measures in-house, consider bringing in skilled technical consultants to walk through the issues and solutions appropriate to your size and rate of growth.
- Who has access to which data? Ensure that managers know who has access to what kinds of data, and what systems are in place for tracking data and dealing with breaches. Think about access issues at all levels of the organization and anticipate what back-up or recovery actions might be needed. You should also review the access status of, and policy toward, different user-levels: Are all employees relegated to the same access level? What about outside parties, clients, customers, temporary employees, etc.? Are criminal background checks, or even social media reviews, applied to new or prospective hires? Should they be?
- Are policies clear, integrated, appropriate, and communicated? Nearly all the issues above boil down in various ways to your policies and how well they’ve been considered and applied. This requires thoughtful planning and an audit of how key policies interrelate when it comes to data security. Employees at all levels of the organization should know and understand what is expected of them, what systems are in place to support them, what constitutes sensitive data, and how it is dealt with.
Whether you’re considering adopting new technologies, updating current systems, or just reviewing your options, take these eight key aspects into account and you’ll be much better prepared for the brave new world of data security.