Businesses are recognising the importance of the information they manage, and more companies than ever deal with sensitive information on a regular basis. So whether you are a one-man-band or a multi-national corporate entity here are 10 Information Security Tips for Businesses:
1. Implement policies and guidelines
Implement policies, processes and guidelines – the rules of the game – that are appropriate for your organisation. This means a top-down approach to information security showing that your organisation is committed and willing to invest in protecting its data. Remember that often, the simplest solution is the best so keep your rules simple because doing so makes them easier to follow.
2. Lead by example
Senior level buy-in is vital but business owners and senior management must also follow the same policies and guidelines, otherwise it becomes a pointless exercise as staff will bypass them in the same way. That means it’s vital to lead by example, showing your team that you take information security seriously.
3. Staff education and training
It may seem obvious, but if you don’t educate your staff on their information security roles and responsibilities then you can’t expect them to provide effective protection for your data. You should not only teach your staff what they have to do and the rules they must follow but also why it is important to you, how they do it and who they should speak to if they have any questions or issues. It is important here to make the process as entertaining and fun as possible as it is seen often as a very dry, if not dull topic.
4. Business processes
It is important to implement appropriate business processes in your organisation and to align them with your information security policies as much as possible. Otherwise it may become easier to bypass the controls you have implemented in order to achieve your business goals.
5. Technical solutions
In the same way as it is important to have appropriate business processes, it is also vital to implement appropriate technical solutions. Many organisations see IT as the driving force in protecting their data. However, this is not the case. IT is simply one of the tools available and you therefore have to ensure your technical solutions and IT systems provide your organisation with the protection it desires in line with your information security policies.
6. Spot checks
A good way to ensure your staff follow your information security rules is to employ a regime of spot-checks. It is important that this should be done to raise awareness of issues and not as a method of punishing those that fail to follow the rules, after all you need your employees to buy-in to the spirit of the program not merely follow instructions like sheep. A great way of achieving this is to encourage staff to come up with ideas for improving security and reward the best ideas.
7. Test and measure
In addition to performing your own spot-checks, it’s a good idea to employ an external agency or consultancy to test your security controls on a regular basis. Many corporate bodies have regular penetration tests of IT infrastructure and less frequent tests of physical security. Smaller businesses might see this as overkill but unless you actually test your controls you have no idea as to their effectiveness!
8. Check your suppliers
Most companies make use of 3rd party service providers. Whether it’s for your IT, web hosting, accountancy or legal operations it’s important to ensure your suppliers take the same care and consideration over their information security (and yours) as you do. It’s no use having fantastic information security controls only for every Tom, Dick and Harriet at XYZ IT Support Company to have access to your sensitive data because they provide your IT support services. Take the time and ask questions – ask to see their policies, how they vet their staff, and what controls they employ to protect your data. At the end of the day, protecting your data is your responsibility.
9. Plan for the worst, hope for the best
In the same way that it’s a good idea to have business insurance, all companies should invest in a Business Continuity Plan. This means looking at the threats to your business, the risks posed by them and how you respond in order to continue operating should the worst happen. Your Business Continuity Plan needs to cover all the high risks to your business and should be tested and reviewed on a regular basis to ensure it meets your changing operational requirements. Obviously, testing a Business Continuity or Disaster Recovery Plan completely may be prohibitively expensive but there are ways of assessing the plan without necessarily having to buy hardware or pay for office space.
10. Incident response
Although having all the policies, processes and guidelines, the correct technical solutions, and excellent staff awareness will give you the best chance of not having an information security breach, it doesn’t guarantee it. Therefore, it is essential that you have a clearly defined process for responding to an incident. This should include reporting points, escalation, evidence gathering and media management. It should also clearly define the roles and responsibilities for relevant personnel and how your organisation reports the breach to the relevant authorities – be they law enforcement, the Information Commissioner or regulatory bodies – and of course how you inform the individuals or companies concerned.