Small enterprises are the engine of our economy, generating innovation, employment and wealth, so your security matters. Data breaches are bad for business, so every enterprise needs security. In the past, this was expensive, because security products were designed for companies with deep pockets and teams of experts. But that’s changed. New cloud-based services are fast to deploy, safe and easy to use. What’s more, they’re even more affordable.
With growing demands from customers and regulators for security, now is a good time to invest in security. Leading cloud-based security services deliver a professional level of security assurance in a form that fits the circumstances and pockets of small businesses.
This slideshow features nine steps, identified by Qualys, that businesses can take to reduce risks at an affordable price.
Click through for nine steps businesses can take to ensure they’re secure, as identified by Qualys.
A simple but powerful first step is to set out your commitment to information security in a written declaration. This shows you’re serious and communicates the fact to staff and stakeholders. It can take the form of a formal security policy, or a simple, signed statement that your enterprise aims to apply its best endeavors to safeguard sensitive data and protect critical business systems from security risks.
Next, ensure that employees who handle sensitive information or control critical systems are aware of legal, regulatory or commercial requirements for security, including the consequences of failing to meet them. One example is data protection and privacy legislation, which requires everyone handling sensitive, personal data to safeguard it according to strict principles. A further example is the Payment Card Industry Data Security Standard (PCI DSS), which requires retailers who process payment cards to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
To select the most appropriate measures for your money, you need to understand the security risks to your business assets or activities. Consider your exposure to security threats, such as:
- Theft of data or equipment
- Espionage
- Fire or floods
- Equipment failures
- Computer viruses and malware
- Computer hacking
Assess how vulnerable your systems, equipment and premises might be to these threats, and identify the best means of reducing the risk.
Draw up a list of “do’s and don’ts” to ensure your employees follow the essential rules needed to safeguard sensitive data and critical business services. Ensure these rules are regularly reviewed and updated. Examples might include:
DO | DON’T |
– Choose strong passwords and change them regularly | – Share customer data with outside parties |
– Lock away laptops and sensitive data when the office is vacated | – Leave mobile devices unattended in public places |
– Take regular backup copies of your data | |
– Apply critical security updates and antivirus updates promptly |
In a larger business, a written policy, setting out principles and objectives in a more structured manner, is a better source of guidance for managers and staff. Procedures for key security processes, such as controlling access rights, issuing equipment and taking backup copies, should also be defined, along with responsibilities for keeping them current.
Assign roles and responsibilities for safeguarding key assets (such as premises, equipment and data) and carrying out security activities (such as taking backups or managing access rights). Deputies should be assigned for essential tasks, to ensure they are carried out during leaves and absences.
Ensure there are measures in place to protect equipment and data from theft, damage and unauthorized access. They should include the following.
- Physical measures for premises, such as access control, intruder alarms and lockable cabinets for sensitive or valuable assets.
- Procedural controls, such as choosing passwords, taking backups and locking away papers and laptops when offices are vacated.
- Technical measures such as firewalls, anti-virus software and backup devices. It’s vital also to ensure critical security updates are promptly applied.
Security technology can be used to safeguard sensitive data and prevent or detect potential incidents. Examples of security products that are becoming increasingly essential for everyday business use include:
- Strong authentication devices for remote access by home or mobile users
- Hard disk encryption systems to protect data on laptops
- Intrusion prevention systems to block incoming attacks from the Internet
- Vulnerability management technologies to monitor the exposure of networked computers to potential attack
Prepare your enterprise for hazards such as fire, flooding or equipment failures. Advance thinking and preparation will reduce the damage to business operations and speed up recovery from failures.
- Identify alternative working arrangements, such as fallback sites and systems
- Draw up a simple plan and keep up-to-date backups of essential data and software at a secure, remote location
- Nominate a crisis team to enable a fast response without duplication of effort
- Assign responsibilities for dealing with emergency services, contacting customers and getting fallback systems up and running.
In busy working environments, security tasks can be overlooked. Implement checks to prevent this happening. Larger businesses might consider a more formal form of governance, with objectives, performance measures and audits.
All employees should be educated in basic security practices, and regularly reminded of relevant security risks, as well as their own responsibilities. Begin with induction sessions for new staff and maintain awareness through regular briefings or bulletins.
A range of educational material is available on the Internet. It costs nothing to point your staff in the right direction. Take a look at Get Safe Online (www.getsafeonline.org) for a good source of free advice.