10 Principles Of IT Security Every Small Business Should Know
IT security breaches are a risk to small business.
Without a dedicated IT department, managing online security for a small business can be a daunting task.
While big organisations have entire teams working to secure networks and information, small businesses are lucky to have a computer guy.
But there are simple steps you can take to secure your data – and remember, much of this is your customers’ data too, and they expect it will be cared for properly.
So to get up to speed, here are 10 things every small business should know to protect systems from intruders.
1. Invest in and update security software
Even if you’re a small business, security is important because being connected to the internet opens you to the world, Airtasker COO and co-founder Jonathan Lui told Business Insider.
Last year Australians spent $408 million on security software but they spent $770 million on potato chips. The message: invest in reliable and up-to-date security software.
Security software needs to be installed on all your devices. It should include a firewall, anti-virus and anti-spyware. One of the mistakes people make is installing the software and never updating it – new threats emerge on the internet every day and your protection software needs to keep up with that.
Also good to know – many of the cloud software offerings on the market already have stringent security solutions built into them. So you may not need to invest over and above the technology that you already have.
2. Back everything up
Gone are the days where backing up your data was a tedious task. Cloud technology means you can set up your devices to back up all the information they hold as often as you like.
A comprehensive solution combines online and offline – so back up to the cloud and to a USB regularly.
3. Build a culture of IT security in the business
Establishing a culture which is aware of security threats is one way to protect your business. This can be as simple as training staff around expectations and technology uses.
“It comes down to a lot of human security principles,” Lui said.
“Generally when a new employee comes in we get them to sign a policy agreement which outlines what we expect in terms of IT security and confidentiality. I generally do an audit once a quarter but try to keep it a bit random.”
Expert360 head of engineering Tom Jowitt said education can be one of the strongest security policies.
“Educate your team on best practices. Small improvements can drastically improve security. People are always the weakest link,” he said.
4. Outsource to an expert global provider
Outsourcing tasks like hosting and servicing IT infrastructure to a global provider is important. It enables small business to take advantage of the big company’s developments and have less chance of data being lost or breached as well as hopefully minimising any downtime.
“Don’t try to bring all the security skills into your business if you don’t have to. You’re not the security guy. If you think it’s a priority pay for those skills,” Lui said.
“You need to delegate the responsibility to someone who is going to care about your IT security.
“You’re trying to minimise the risk of something catastrophic happening down the track.”
Jowitt said outsourcing gets security out of the way of critical business tasks.
“In small businesses, data is one of the most valuable assets yet you often lack the resources that larger companies do. You need to make sure that your security approach is manageable and doesn’t get in the way of the business. Security is always a trade-off between being secure and being usable,” he said.
5. Have different passwords for everything
Setting passwords on all devices and introducing two-factor identification for more sensitive information can protect your business from intruders. It’s especially important with the rise in portable and mobile devices that leave the office. Passwords can stop people from accessing information if a phone or laptop for example is lost or stolen.
Passwords should also be different for each device or platform to stop giving someone access to everything if they figure out one access code.
Think about what would happen if someone could read your email. A sophisticated hacker could trawl your correspondence for all those times you shared passwords around the business, and reverse engineer much of your security.
Lui said setting up a password management plugin is an easy way to manage security when a business has multiple users. It also enables a manager to set different access levels and allocate a master password.
6. Learn to remote wipe
Just like you would want all your data backed up if a device was lost, stolen or infected with malicious software – you also need to have the ability to wipe data remotely.
This means you can log in from another device in the case of an unexpected event and wipe all the data to stop it being accessed by prying eyes.
Lui said setting up the ability to lock down access to emails and files that an employee has access to is also important, especially if they leave the company unexpectedly.
“I always err on the side of being cautious from the start,” he said. “It prevents these types of issues if they happen.”
7. Brush up on the Australian Privacy Act
Knowing the rules and regulations around obtaining and storing data – especially customer data – is important to ensure you’re not breaking any laws.
Lui said there is also business incentive for ensuring personal data is properly protected.
“Customer data is quite sensitive,” he said.
“It’s very important to hold as much data as possible but that it’s secure.
“You don’t want to get famous for the wrong reasons, if the story leaks out that you let out the details of your customers that’s not good.”
Importantly, the major providers have local data centres that operate under Australian jurisdiction which remove the legal uncertainties.
8. Lock up your gadgets
It may sound rudimentary but having a device stolen can be a headache for business.
Locking up laptops and gadgets and keeping them out of sight when people aren’t around can go a long way ensuring hardware isn’t taken.
“No computers lying around the desk when people aren’t there, it has to be locked up. Don’t just leave things lying around that might have data on it,” Lui said. “Do a general check on locks after hours.”
9. Think about how you’re sending data around
Emails can be forwarded all over the place without the sender ever knowing.
“If someone asks for some data that they need I make sure I pass it to them securely,” Lui said.
“These days with more data going online for everyone there’s a lot of ways people can get their hands on that data.
“We try and do almost everything in the cloud and try not to store anything on our computers.”
10. Have a disaster plan
If something can go wrong, chances are it probably will, Jowitt said small businesses need to think about how they might deal with worst-case scenarios. Larger businesses have incredibly detailed plans for how they will respond in case of things like fire, mass power outages, or other unforeseen disasters. For small business, it needn’t be complicated, but some basic planning will help.
“Make sure you have contingency and disaster recovery plans for when things go wrong,” he said.
“If you can’t afford a full-time sysadmin or security team make sure you at least bring in an external auditor to review your IT infrastructure.”
Source: http://www.businessinsider.com.au/10-principles-of-it-security-every-small-business-should-know-2014-11