Recently Elizabeth Chisman Moon of Focus Data Solutions and I did a seminar on this topic for the Alexandria SBDC. Here are some basic ideas on managing your risks of security breaches.
Start by developing policies or practices that address the most important security needs of your business. These might include:
- Use of company equipment and software
- Use of personal devices for work
- Social media
- Basic security procedures (physical and systems)
- What you consider ‘company confidential’ or sensitive information
Defining what you consider sensitive information is critical. This ensures you know what information deserves extra care in handling and storing so you can protect it. The policy also tells your employees what information you expect them to keep restricted and ensure others do not see. Common types of sensitive or ‘company confidential’ information include:
- All data relating to services, applications, procedures, and/or products sold by the organization, excluding marketing literature designed for external use
- Research and/or development materials
- Information about clients or customers, excluding that within sales or marketing literature produced for external use
- Contractual arrangements between the organization and its clients or suppliers or vendors
- Purchasing, pricing, sales, or financial data
- Personnel data on any employee or ex-employee
- Information provided by other organizations under confidentiality agreements
Development of basic policies can be done using samples from your professional/trade organizations or your network. However – it is vital to ensure that each policy is designed to support your desired culture. Having such policies checked by your lawyer, appropriate consultants, or vendors is important to ensure you minimize your risks. The policies then provide a basis for orientation of new employees as well as training of all employees and regular reminders on need for each employee to protect the organizations’ assets.
Remember that policies that are difficult or complicated lead to less-secure ‘work-arounds’. For example, all of us have seen the passwords written on sticky notes on the PC or laptop!
When hiring employees, independent contractors, or vendors:
- Consider security issues as part of hiring process for all
- Ask questions related to common risks profile in interviewing candidates
- Check on related issues (impulsive, anti-authority, carelessness) with references
With independent contractors or vendors:
- Restrict access to your internal networks and to sensitive information
- Place security requirements and restrictions in contracts.
Security is critical to all businesses. Cybersecurity is more important than many of us realize as hackers increasingly are targeting small organizations, both for access to their information and as a quick way to make money via ransomware.