Given the ubiquity of IT systems in small-to-medium
size businesses today, the reliance that those firms have on those
systems, and the sensitivity and importance of the data that flows
through them, it's no wonder that IT security is a hot topic. Threats to
the security of your firm's data come from a myriad of vectors, both
from outside your network and from within.
If your firm's data is
compromised by a cyber-attack, the effects it can have on the business
may be devastating. First of all, your firm's operations may be
virtually shut down as you scramble to contain and mitigate the attack.
Every minute your firm's staff can't do their normal work costs
hundreds, if not thousands of dollars.
If sensitive information is
found to have been stolen or even accessed, your firm could be held
liable. Legislation such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act,
and HIPAA has penalties for noncompliance that would have very serious
consequences for small-to-medium businesses.
Perhaps the most
insidious way that a security breach can affect your firm is damage to
your firm's reputation. In the highly competitive SMB space, firms
depend upon hard-won reputation to attract and keep clients, and if your
firm is perceived to be anything less than completely in control of its
information and processes, you will find that a tarnished reputation is
difficult to remedy.
It's important to understand that IT security
is a process that must become a part of your firm's corporate culture to
be successful. Some of the steps are pretty well-known (a firewall, or
anti-virus software, for example), but these won't be effective over
time if they are not part of an overall security policy.
It's
simply not possible to guarantee your network will never be compromised
by an attack from outside or inside the network. The attack vectors are
too numerous, and the security measures are always barely a step ahead
of those who seek to defeat them. But if you can't eliminate risk, you
can mitigate it, and a well-designed security policy will help to ensure
that you are doing all you can, on a continuous basis, to protect your
network.
The policy will establish guidelines for various security
settings that the network administrator will control, but it also
defines certain behaviors for users on the network. No security policy
will work unless every user on the network follows it, and it's
perceived to have the blessing of the firm's top management. If the
rank-and-file employees see that the company's officers ignore the
security policy, they will consider it unimportant and ignore it, too.
Before you can design or implement a policy, you will need to
establish a baseline, determining the level of security that is
reasonable for your organization, and then determine what would have to
be done to achieve (and keep) that level of security.
Given the
importance of network security, and the time, effort, and expertise it
takes to evaluate your network's security status, and then design and
implement an appropriate policy, it is wise to outsource some or all of
this process. There are IT service firms that do this type of thing
routinely, and you will benefit from their experience.
Whether you
handle this in-house or outsource part or all of the process of
implementing the security policy, keep these guidelines in mind:
*
Make sure you have good documentation of your network infrastructure
(up-to-date network diagrams) and logs of what maintenance work and
improvements you do to it. You can't hope to control network security if
you don't have a handle on your network to begin with,
* Make sure
your security policy is well documented, too, for several reasons: You
will want to be able to have proof the policy was implemented; you'll
want to able to quickly inform new employees of your firm's policies;
the documentation will make revising the policy easier, which brings us
to...
* Periodically reassess your security policy. Things change
so fast in the IT world--and in the legal profession, as well--so it's
wise to rethink your strategy on a semi-annual (or even quarterly)
basis.
It would be nice if you could just buy a magic cure for
network security, but it's just not possible. Networks have become too
complex, and there are too many exploitable points of entry. Dealing
with network security is the trade-off for the convenience of being able
to access so much data from so many places. There's no turning back
now--the digital information age is here to stay.
Bruce
Campbell is vice president of marketing for Clare Computer Solutions in
San Ramon, Calif.
