Data security for small businesses is becoming even more of a priority, for a robust and integrated security response to external and internal threats, it is not enough to rely on technology alone. We have talked in previous blogs about the importance of combining people, process and technology to achieve an effective security solution. However, the importance of a policy is often lost or, at least, underrated but in reality, it forms the backbone of any protection activities.
So lets start at the beginning – what is a security policy? Well simply it is the confirmation between management and employees on the approach that should be taken to data security. Why is a security policy so important? There can be more than one depending on the scope of security measures for the organisation. For small businesses, security budgets are severely limited therefore, a greater reliance on process and people is required. This is obvious as small businesses tend to have fewer employees making it easier to co-ordinate security measures and to educate users regarding their responsibilities.
A policy needs to be endorsed by the executive management team otherwise there are many barriers to implementation including but not limited to budget and capabilities. It also needs to be in a language that the business will understand as opposed to jargon used by the IT specialists. Small businesses may think that their information is not worth stealing, but think about your vendors and customers, small businesses tend to be targets of cyber attacks because they may have relationships with larger organisations and therefore be the stepping stone to large prey. The security of third parties is a major risk and concern.
So how do you get started? Well there are many templates available on the market that can be used as a starting point. However, these may cover everything which may or may not be relevant to your business. They are useful for making a comprehensive list of what is to be considered, but please find a summary below of the basic content which must be addressed:
- A scope statement to specify all information, systems, facilities, programs, applications and users with no exceptions to be included under the policy.
- Classification – Information classification should be defined, e.g.: ‘public’, ‘internal’, ‘confidential’ and ‘highly confidential’. These will vary depending on the sector the organisation finds itself.
- Context – where does the security policy sit in the other management directives? It should be readily on display and available for all employees to consult.
- The policies should define:
a. Acceptable Use of Technology: can work laptops be used for personal use? If so what is allowed, etc.?
b. Security: password policy, levels of access, virus protection, etc.
c. Disaster Recovery: yes this is security of information too and needs to be defined, implemented and tested.
d. Identity Management: how are people identified within the organisation and what happens when they join, move, leave, etc.
e. Information Handling: internal and external protection of information on mobile devices, sent by email and all that stuff.
f. Compliance / Governance / privacy: how will you check security and protection is working? Maybe audits will be carried out? Think about metrics here. How can you measure your security effectiveness and investment payback?
There are many other areas which could be included in the Information Security Policy but it is important to cover the basics and be able to deliver effective measures. There is no point in having a wonderful policy but with nothing behind it!
If you would like more information on any topic regarding security policies, technology, measurements and protection of information then contact us!