In the aftermath of high-profile data breaches at major companies such as ChoicePoint, Bank of America and Lexis-Nexis, small business owners are left to wonder how they can possibly protect their own sensitive data when major corporations with huge IT budgets canít.
Part of the problem is the intangible nature of data security. While guarding a door or manning a check point is readily understandable, data security is difficult to comprehend and more complicated to address. Indeed, itís often tough to determine what constitutes enough protection until a situation arisesóand by then the damage is done.
To put IT security at a tangible level, it helps to develop and follow a well-conceived security policy. Unfortunately, most companies approach security from a much less strategic standpoint. Either no such policy exists or, if it does, itís not consistently followed.
The first step in establishing successful security policies is to develop an understanding of exactly what data needs to be protected and whatís at stake if it is lost or compromised.
Here are some typical questions: If crucial accounting data is lost, can it be restored? Do you have a backup and, if so, what is the recovery time for restoring information? If customer data is exposed, what are the potential ramifications? For example, a credit card processing company may market itself as a secure caretaker of data. If it loses or exposes customer information, the slip will a great deal in lost business, damaged consumer confidence and potential lawsuits.
Armed with an understanding of what needs to be done and what is at stake, companies must consider ways the data can be accessed. Is it readily accessible from the Internet, or is it on a back-end system that employees alone can reach? Are proper limits placed on what those employees can and canít access?
Employee access is a critical issue. While the common belief is that hackers are the most serious threat to data security, the biggest danger actually comes from inside a company. It could be a simple mistake (such as an employee saving information to the wrong area of the network) or an intentional action (such as browsing network drives where confidential information is stored or copying client lists).
Another vulnerability comes from adware and spyware that infects company computers. Although these programs are not destroying data, they are adversely impacting the machines themselves. It's difficult to be sure of how dangerous this software is. So far, it appears that theyíre not doing much more than tracking Internet movements or attempting to hijack browsers. That doesnít mean, however, that they canít become dangerous or destructive.
Adware and internal espionage aside, a final risk factor comes from those who fail to take security seriously. A companyís security strategies need to start at the top. Owners and managers must maintain the highest levels of access to the most valuable company information.
Unfortunately, thatís often not the case. For example, members of a management team frequently exclude themselves from strict password policies, either avoiding lengthy or complicated passwords or not changing them frequently. Consider the business owner who has used the family petís name as a password for years. An unauthorized user who can guess that can gain access to sensitive client information, revenue figures, payroll and other sensitive data.