Computer Weekly has an insightful article on how small to midsize businesses should develop security strategies to protect valuable information while enlisting the help of employees.
Invest time and effort into making every member of staff a security champion. It is false economy to not utilise every means at your disposal to protect organisational assets, and the staff are actually the biggest threat when it comes to information assets. But they could also be your best ally in rolling out really effective policy that people actually use and understand. If they know they are protecting their organisation/brand they will want to be a part of it.
The article gives areas that SMBs should focus on:
Confidentiality, integrity and availability
Identify information assets, and objectively assess their importance and the criticality of the components of confidentiality, integrity and availability (CIA).
Make information assets brand assets. Put the brand assets at the heart of behaviour and culture, and put the information at the heart of the security strategy.
Adopt consistent, repeatable and realistic risk assessment processes, fed by intelligence-driven threat assessments. The risk and threat landscape evolves constantly. Effective risk mitigation can only come from regular threat and risk assessment.
Security as a business process
Introduce robust, but not overly bureaucratic or onerous change and configuration management processes, that encapsulate changes to working practices and not just changes to information, communication and technology (ICT) components.
IT health checks
Invest in regular IT health checks (often referred to as penetration testing), but make sure this testing is appropriately targeted according to the risks (another reason for having we developed risk-based approach) – so test web-enabled services with dynamic and attractive back-end content more frequently.
Inform yourself and your staff about security threats and mitigations. Use open-source information sources on security matters to keep yourself and your staff informed. This can be available online as well as from the free-to-attend educational seminars that are often hosted at security events.
In time, we can hope that security will be included in many business events which will make it easier for business leaders to get information and guidance on security in the correct context, as a pan-business service.
When it comes to staff, educate and encourage all colleagues to communicate with each other. Do not assume that, because you know of a new issue – for example a new phishing scam – that all your colleagues do too. It might even have missed the attention of your security manager, so encourage people to talk – even create a forum, maybe a space on an intranet for people to register security issues they have heard about, read about or experienced.
Security strategy and policy frameworks
A small amount of investment in independent external audit/health checks can identify potential issues before they become security incidents and thereby provide significant amounts of assurance as well as being a valuable mechanism to drive continuous improvement.
Prepare for the worst
SMEs often think they are not targets and so actually make a nice initial way in for any attacker. They do not realise they frequently hold significant information that may be valuable or sensitive or provide a way in to a larger supply-chain partner.
The best approach is to assume that, if you have information assets, you will be a target – and so will your supply chain. You have accountability for your data and partners will probably hold you accountable for their connections and data too, if you share information or systems.
These are some practical things you can do to ensure that any budget allocated to security is well spent and clearly accounted for. A business’s biggest asset and vulnerability is its people, so never underestimate or under-budget on training and awareness. They can be your best defence or your worst nightmare.