Just starting out? Here are some essential security facts for your business.
Given the ubiquity of IT systems in small-to-medium size businesses today, the reliance that those firms have on those systems, and the sensitivity and importance of the data that flows through them, it’s no wonder that IT security is a hot topic. Threats to the security of your firm’s data come from a myriad of vectors, both from outside your network and from within.
If your firm’s data is compromised by a cyber-attack, the effects it can have on the business may be devastating. First of all, your firm’s operations may be virtually shut down as you scramble to contain and mitigate the attack. Every minute your firm’s staff can’t do their normal work costs hundreds, if not thousands of dollars.
If sensitive information is found to have been stolen or even accessed, your firm could be held liable. Legislation such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act, and HIPAA has penalties for noncompliance that would have very serious consequences for small-to-medium businesses.
Perhaps the most insidious way that a security breach can affect your firm is damage to your firm’s reputation. In the highly competitive SMB space, firms depend upon hard-won reputation to attract and keep clients, and if your firm is perceived to be anything less than completely in control of its information and processes, you will find that a tarnished reputation is difficult to remedy.
It’s important to understand that IT security is a process that must become a part of your firm’s corporate culture to be successful. Some of the steps are pretty well-known (a firewall, or anti-virus software, for example), but these won’t be effective over time if they are not part of an overall security policy.
It’s simply not possible to guarantee your network will never be compromised by an attack from outside or inside the network. The attack vectors are too numerous, and the security measures are always barely a step ahead of those who seek to defeat them. But if you can’t eliminate risk, you can mitigate it, and a well-designed security policy will help to ensure that you are doing all you can, on a continuous basis, to protect your network.
The policy will establish guidelines for various security settings that the network administrator will control, but it also defines certain behaviors for users on the network. No security policy will work unless every user on the network follows it, and it’s perceived to have the blessing of the firm’s top management. If the rank-and-file employees see that the company’s officers ignore the security policy, they will consider it unimportant and ignore it, too.
Before you can design or implement a policy, you will need to establish a baseline, determining the level of security that is reasonable for your organization, and then determine what would have to be done to achieve (and keep) that level of security.
Given the importance of network security, and the time, effort, and expertise it takes to evaluate your network’s security status, and then design and implement an appropriate policy, it is wise to outsource some or all of this process. There are IT service firms that do this type of thing routinely, and you will benefit from their experience.
Whether you handle this in-house or outsource part or all of the process of implementing the security policy, keep these guidelines in mind:
* Make sure you have good documentation of your network infrastructure (up-to-date network diagrams) and logs of what maintenance work and improvements you do to it. You can’t hope to control network security if you don’t have a handle on your network to begin with,
* Make sure your security policy is well documented, too, for several reasons: You will want to be able to have proof the policy was implemented; you’ll want to able to quickly inform new employees of your firm’s policies; the documentation will make revising the policy easier, which brings us to…
* Periodically reassess your security policy. Things change so fast in the IT world–and in the legal profession, as well–so it’s wise to rethink your strategy on a semi-annual (or even quarterly) basis.
It would be nice if you could just buy a magic cure for network security, but it’s just not possible. Networks have become too complex, and there are too many exploitable points of entry. Dealing with network security is the trade-off for the convenience of being able to access so much data from so many places. There’s no turning back now–the digital information age is here to stay.
Bruce Campbell is vice president of marketing for Clare Computer Solutions in San Ramon, Calif.