Auditors have been telling small business owners for years that they should implement good security procedures for their IT activities. These include such features as regular changing of passwords. Also they have stressed there be a proper division of duties between the custody and recording of transactions and assets. And a good business recover plan in case of a disaster or major loss of data. Large firms are required by law to maintain adequate internal controls and to report on them to their regulators, such as the OSC and the SEC. However, small private businesses don’t have that requirement. It’s all up to them.
According to a recent study by Semantec and the National Cyber Security Alliance, these warnings are still going unheeded by many businesses. In a survey of 1015 small businesses in the US, 77% of the respondents felt that their business was secure but 83% stated that they had no established policies with regard to security. And yet, the risks are getting greater, not smaller. For example, the use of the internet for storing data and even processing transactions is growing. And the internet still poses numerous security threats. The threats come not just from a loss of data, but also from a breach of privacy, particularly the privacy of sensitive information or that which is owned by customers.
The growth of social media has also served to increase these risks, since people use such media for many purposes, and often are not careful enough about what they disclosed on them. Companies are increasingly mining social media data for purposes of information about customer behaviour and activities of the competition.
So there is a real need for small businesses to develop a security policy that will work for it. This would include not only policies with regard to passwords and business recovery but also policies with regard to the use of mobile devices and social media.
And as for the data being stored on the internet, the businesses need to assess the importance and sensitivity of the data and whether it is adequately protected in the site where it is being stored. Any data that is sensitive in any way needs to be encrypted so that it is rendered difficult for unauthorized parties to access it.
As with any policy, it needs to be documented and reviewed with employees to ensure they understand it and will buy into it. Ongoing review and updating of the policy is essential, as the technologies and the risks keep changing.
An ounce of prevention – – – .