Security Matters - Part 2

The loss or theft of a laptop that contains sensitive information is called an e-crime - one that threatens some aspect of computer security. Research indicates that a significant percentage of e-crimes are committed by current or former employees, service providers or contractors. According to the 2007 E-Crime Watch Survey, conducted by CSO Magazine, the US Secret Service, CERT and Microsoft Corporation, unauthorized access to or use of corporate information, systems or networks was the most common insider e-crime.

In order to secure critical business information and protect against e-crimes, you need a game plan - an effective security governance program. Generally speaking, the goal of any governance program is to mitigate risks. Other goals include ensuring that your business is in compliance with regulations, setting an example for how business is to be conducted within your company, and protecting the business, its assets and customers against theft. In the case of a small business, establishing an effective governance program is a step towards positioning the business for future growth.

Effective security governance programs ensure that individuals at all levels within the company are well informed about the risks that may impact the business and take an active role in developing and enforcing policies designed to protect against them. As an entrepreneur, it's your responsibility to identify the risks affecting your business, develop strategies to mitigate them and document the game plan. This is just as important for the sole proprietor with an in-home office.

Take a look at your organizational structure, management, operational and computer practices. Your organizational structure, roles and responsibilities need to be defined in a manner that establishes accountability. Have you given a contractor sole responsibility for an area of the business that imposes a risk? Your management practices should support and enforce policies that govern behavior within the company, such as how email and voice mail are to be used, use of company assets like laptops, protection of intellectual property and data sharing policies. Do you always remember to reset voice mail passwords whenever an employee leaves the company? What information within your company requires privacy? Do you have policies in place to limit access to that information? Where is your customer data stored and how is it protected. For those with home-based businesses, do you keep the file cabinets locked? Who else besides yourself has a set of keys? Are you doing all you can to protect your business and your customers?

Look at security from both a physical and technical standpoint. Establish roles and responsibilities to mitigate risks in the following areas:

Legal Compliance - Speak to your attorney and find out what regulations apply to your line of business, how they affect the way you do business and what you need to do if you find that you are non-compliant. Review your contract language and employment applications to ensure that you address regulatory compliance and security. Investigate any suspected security breaches.

Information Technology - Create an inventory of your critical IT assets (software, hardware, network components, etc.) What measures have been put in place to secure your laptop or other computers. What happens if your laptop is lost or stolen? Are you running backups on a regular basis and where are they stored? Who maintains the administrative passwords to your accounting system, payroll system, network, etc.? Do you change the passwords when someone leaves? If you have a home-based business, can anyone use your computer? Do you restrict who can download software and information onto the computer?

Risk Management - Conduct assessments to identify weaknesses in your business security posture. Conduct regularly scheduled reviews to determine whether or not the measures you've implemented are eliminating or minimizing risks.

Management - Use your management team to set the tone for conduct within the business. Use managers to develop and enforce company policies, help identify risks and train employees, service providers and contractors.

Finance - Include security in your budget and allocate funds to support security investments as well as security training and awareness. Determine who has access to your financials. How often do you monitor financial transactions? Do you have written procedures for handling customer financial information? For those in direct sales, do you have a procedure for destroying customer credit transactions once completed?

Auditors - Become familiar with and begin conducting internal audits to ensure compliance with regulations. Vest your internal auditors with the authority to do their jobs. If you don't have staff to perform this role, do your own research and see what other resources might be available to you through small business organizations.

Administration - Ensure that security practices are implemented throughout your hiring and review process. Use your Human Resources (HR) staff to monitor and enforce policies and procedures. Ensure that security practices are enforced in your interaction with vendors, contractors and service providers.

Security - Document your game plan just as you would a business plan. Make security awareness training a priority and an ongoing requirement for employees at all levels of the business. Think about what should happen if there is a security breach. Who is responsible for taking the lead in the event of a problem? Who is responsible for communicating security updates?

You don't have to create in-house positions to establish these roles, nor do you have to hire staff to begin establishing a game plan. As an entrepreneur, you may outsource some of these areas. For example, if you're using an outsourced HR provider, discuss the verbiage you would like included in the employee handbook relative to your security practices. If you outsource your payroll, ask for a copy of their written policy regarding protection of employee data.

Whether you decide to comment or not, at least take some time to reflect on security and start protecting your investment.