For small businesses, the basis of a good security policy is a simple plan that everyone can follow – and costs nothing but time - (Article published in the
Review, July 2012, author Nick Booth)
If a computer system has been compromised, human error is usually to blame. Take the smart phone, arguably the most important piece of business technology a SME will use. According to IT consultancy Avanade, 88% of companies worldwide use mobile devices of some sort for work. But security measures have not kept pace with this trend.
The problem is that business systems have grown in complexity at such a pace that we struggle to keep up. We have to remember myriad passwords and learn processes that seem to change by the day. Who could blame us for letting the lengthy best-practice handbook languish in our in-trays and making our work the priority?
A study by marketing company Vanson Bourne indicates that companies are beefing up their IT security in response to a perceived security threat. Of 500 IT decision-makers in large enterprises, four in 10 said they have increased their IT security budget following high-profile breaches at other organizations.
Smaller companies do not always have this option. They are less likely than medium-sized or large firms to use a security consultant or conduct an internal audit. IT security is likely to be left to the MD, the CEO or the office manager – in other words, somebody who already has another job to do and is not an IT specialist.
All is not lost for the security-minded SME, however. If most security breaches are based on human error, and simplicity is the key to devising a workable policy, then SMEs have distinct advantages over their bigger competitors. Here are some simple tips for keeping your company safe.
1 - Assume nothing
Assumption is the most frequent human error, according to Chris Potter of management consultant PwC. "If security is doing its job, it goes unnoticed," he says. "The flipside of this is that people don’t value it and take it for granted."
When manufacturers of phone systems or routers supply you with equipment, they assume that you are going to change the default password. The consumer, in turn, assumes that the default password is safe. Meanwhile, the hacker assumes that you haven’t changed the password from the default. Guess which assumption is proved right most often!
Don’t forget that crime is constantly evolving, with new tricks and new viruses being devised by the hour. Be sure to download all software updates, and change your passwords regularly.
2 - Inform yourself
Often, people ignore security if it hampers their day-to-day business, says Alastair Broom of security firm Integralis. “This is largely because they are oblivious of the consequences,” he says. “Does John Smith in the finance team understand the risk in syncing the company’s annual report to DropBox so he can work on it at home? Or emailing something to his personal email account so he can finish work at home?” By informing users of the consequences, these problems can be neutralized.
3 - Keep it simple
“Many security programs involve lengthy policies and procedures that are never read and gather dust on a shelf somewhere,” Broom says. “Explain clearly why the company has certain policies and the benefits. If you just describe what you’re doing without justification or benefits, employees will resist.”
4 - Tailor it to your team
Human error often creeps into systems when there has been no design consideration for the different aptitudes and abilities of the workforce. Some people are always going to be more willing to undergo certain processes than others. Business leaders know their teams better than anyone else, so should avoid one-size-fits-all solutions.
Top 10 human errors
• Failing to change default passwords
• Using infected memory sticks
• Losing memory sticks
• Responding to unsolicited emails
• Using the same password for every account
• Using “password” or “1234” for your password
• Keeping passwords on sticky notes attached to your monitor
• Failing to update security patches
• Failing to save or back up data
• Sending sensitive company data unsecured
5 - Beware social media
Social media has become the online-commerce platform of choice for SMEs. It’s easy to use and it opens up a world of marketing possibilities, but it’s also far more open to abuse, warns Richard Law of identity management company GB Group. “You need to verify who the other person is that you’re doing business with,” he says. “The problem with online is it’s still a bit of a Wild West environment.”
The “bring your own device” (BYOD) trend, and using these tablets and smartphones to access both traditional and new cloud computing apps, means that moving, storing and securing data is now much more complex.
Complicated security processes, such as encryption and verification of users who want to log into networks, can be simplified by using a smart card or OTP token that mobile workers can carry around with them. These portable authentication gadgets use digital certificates or produce a unique one-time password that strengthens access control to PCs and mobile devices.
Meanwhile, the scope for human error is as wide as ever. Encrypting data is a sensible move and an investment that soon pays for itself. But in the meantime, creating a highly secure password for your company’s Facebook page would be a good start and costs nothing. As for the rest, just keep it simple.