CEO Primer : Information Security Quick Wins

The first article in this series looked at some ways to assess the importance of security risk to your business, intended to help determine whether your budget is appropriate. This post lays out some simple, inexpensive measures that will reduce your Information Security exposure considerably. You should check off these items before investigating any higher spends.

What does Information Security encompass?

Information Security encompasses the means for identifying and ranking potential threats, and detecting, quickly resolving and avoiding repeat incidents. Digital information needs to be protected at rest (stored in databases, file servers and devices around the business and in the cloud) and in motion as it moves across the company network and external internet between privileged users. Paradoxically, while the majority of vulnerabilities occur when your data is at rest, the majority of security industry spend is on the network.

Employee Education

Employee education is the foundation of a secure organization. You can help your team understand the importance of security for your business and how they can help. The majority of security issues arise through accidental or deliberate employee action, and you can reduce the former with some reminders about safe and unsafe practices.

Here is a simple and effective approach:

  1. Write up straightforward company policies regarding appropriate use of email and internet, password rules, systems access, and staff responsibilities. You can find a comprehensive list of policies here.
  2. Distribute a document summarizing these policies and adding some simple tips and tricks such as the use of strong passwords, deletion of suspicious attachments before opening, and safeguarding of company phones and laptops. 1 or 2 pages should suffice.
  3. Include the topic on staff meeting agendas, making sure that you message every employee.
  4. Communicate regularly about security changes and issues. Provide immediate alerts and guidelines when severe viruses arise, such as Cryptolocker and Heartbleed.

Getting your team onside is more than half the battle won.

Establish a Secure Environment

Consider your security environment to be an onion skin, with your servers, desktops and phones at the centre, and layers of security applied to data in motion on the network to and from the outside world. Your firewalls and VPNs are at the edge of the onion, and "end-point" security tools at the heart. Strong security consists of several robust layers, but you'd be surprised how common it is to find a single poorly configured firewall between your corporate server and potential hackers.

Firewalls : should be configured by an expert to ensure robust security and appropriate logging of activity to monitor for intrusions. Multiple firewalls can be used to ringfence segments of your company network, an important practice if your business handles credit card information requiring PCI compliance.

Anti virus software : You get what you pay for with anti virus software. Tools that are free or nearly free will fail you when you need them most. Robust solutions with speedy virus updates from reputable providers like Symantec and McAfee are not expensive and WILL save your organization time by avoiding loss of operational time. If your IT is supported by a managed service provider, a managed anti virus service is worth considering.

Encrypting data : when data is encrypted, it can only be read on devices that have access to the cryptographic key that is unique to your business. Odds are that your company has laptops and mobile phones. If the data on these devices is encrypted, company information is protected against loss of equipment.

Use two-step verification for cloud security : Many cloud apps like Gmail and Dropbox support a security technique called two step verification. This is a way to restrict the specific devices that are able to connect to your cloud applications. If your company user accounts are managed centrally, you can restrict this access to company owned or company approved devices. In the event that an employee's login details are leaked, two factor security prevents access from a non-authorized device.

Next : Information Security as a Process

Having confirmed that your secure environment has the right components, the next step is to ensure that the correct processes are being followed to maintain security.

If you contact me at , we can get on the phone to discuss how you can make your information security better than many small to medium businesses.