IT security is hitting the headlines, but what can business owners do to protect themselves? In the past few months we have seen security breaches at Sony and at the US Central Command. In this article we look at the practical measures that businesses can take to reduce the chance of embarrassment, or worse.

The enemy within

Like most business owners, I value my team enormously. But any member of staff can become the “enemy”. You don’t know who is disgruntled because they think they should be paid more. You don’t know who is trying to hide a gambling problem. You cannot know these things and you don’t want to find out when it’s too late.

Here are some simple and practical steps to protect yourself from “the enemy within”:

  • Vet staff – an effective recruitment process reduces the chance of recruiting the person with a history of fraud or a fictitious CV.
  • Limit access – only give people access to the files they really need. Have an IT setup that makes it easy to maintain security.
  • Control use of your company database. Find out who would be able to copy or export large quantities of data and limit it to the few who really need to.
  • Audit. Do you need to know what is going on within your computer network? Can you track who is accessing what?
  • Control use of external devices. You could prevent people plugging in USB sticks or external disks. You could also control which devices can connect to your wireless network.
  • Manage your users on your network. Do you disable user accounts the moment someone leaves? Are you certain that ex-employees could not have access to any web-based services that you use? Could a disgruntled ex-employee could still have remote access to your office network?

Preventing stupidity

First, my defence. None of us would employ stupid people. But even the best of us are capable of accidental acts of stupidity – just ask any car insurance firm. Here’s how you can reduce the chance of the sort of embarrassment that the US Central Command suffered when their Twitter account was hacked.

The lessons are:

  • Educate your users. Half the battle around security is educating people. If they know what the risks are, how to spot them and how to avoid them, they are much less likely to fall victim.
  • Reduce the chance of problems. Filter spam from your e-mail; control the sorts of web sites people can go to through web filtering.
  • Get visibility of what is going on. Do you know who is accessing which web sites in work time? For example, if employees are accessing their internet banking in working hours, it’s more likely that they would respond to a phishing e-mail purporting to be from their personal bank.
  • Act on the information. People who are doing the wrong thing during working hours or going to the wrong sort of web site are not only wasting their time and your money, they are your highest risk of a security problem.

In summary, a lot of IT security issues are not IT issues, they are people issues. The rest can be dealt with by your IT team. Add in a good reporting system that brings the important issues to your attention and you have layers of security that reduce the risk of an embarrassing problem for your business.

The full magazine can be found here.