Submitted by: Vladimir Petrov

Executives at small to mid-sized businesses that we have surveyed state that one of their top technology concerns continues to be security and privacy. Small to mid-sized businesses store vital data: client files, accounting records, corporate records, email communications, and more. Failing to back up this data or keep it secure can ruin a business.

Most small to mid-sized businesses have taken essential steps to consider security and privacy in all that they do. And still, they wonder if they are doing the right things. This article highlights the four biggest issues that small to mid-sized businesses face, and the simple steps they need to take to address these risks.

Risk #1: Data Backup and Storage. The costs of recreating lost data for a small to mid-sized business can be huge, both in terms of recovery and the cost to the firm’s public profile and image. For instance, a firm simply can’t afford to recreate three months of accounts receivable invoices.

Solution: It is crucial to have real-time, frequent backups and to confirm that data retrieval processes are working. Manual backups can be less expensive than automated backups, and equally reliable. At the same time, small to mid-sized businesses can’t overlook the process of retrieving backups. In fact, retrieving lost data often proves more risky than storing data in the first place, and is often overlooked by small to mid-sized businesses that focus more on data storage. It is essential to test retrieval of stored data on a regular basis.


Risk #2: Threats from internal sources. In the case of small to mid-sized businesses, threats from internal sources are often larger than threats from unknown hackers. We are aware of a number of cases of attempted fraud. For instance, an employee at one business managed to hack into escrow holding accounts, as well as private files containing owners private credit card numbers.

Solution: Only authorized users should be able to access vital data, a strict privacy and security policy should be in place, and businesses should be especially careful when adding and removing employees/users. Of course, most small to mid-sized businesses have created a network architecture with unique user names that is password driven. Unfortunately, we have found that many businesses have become complacent and sloppy with this type of system.

For instance, they share passwords or give each employee/partner the same password. Even businesses that do follow this system can go further by checking the log files on the servers and on applications, and by testing network security each time an employee comes or goes, to ensure that there has been no security breach.

Risk #3: Turnover of in-house technical resources. We have found small to mid-sized businesses experience turnover of their in-house technical resources every 12 to 18 months. Most of the time, these “technical” employees did not create written processes and procedures for security, or kept them inside their heads. Turnover of staff therefore can lead to decreased attention to privacy and security, and make a small to mid-sized businesses vulnerable.

Solution: Small to mid-sized businesses should have a formal, written procedure and set of standards in place for testing their system for breaches and risks. They should test their system regularly, and also check log files – especially during employee transitions. These standards and processes should have a life independent of any single employee.

Risk #4: Vendors, especially IT vendors. It is a secret in the IT world that many IT service providers create more security and privacy problems than they fix. That’s because they may lack good security procedures and, if they are vulnerable to hacking, so are their clients. Any vendor that connects to your systems can make you vulnerable to hackers.

Solution: Small to mid-sized businesses should screen all vendors, and especially IT vendors, to ensure that they have a secure infrastructure. Ask them how they connect to your computers in order to maintain security. Request their written policies and procedures about how they govern security and privacy. Find out how your security might be compromised if someone breaks into their system. Ask about how they recruit and screen their employees.

Conclusion: Don’t get complacent!

The solutions to privacy and security issues are technically straightforward. What is often lacking is a proactive, consistent approach to ensuring that security remains strong. In addition, it is challenging to find the right resources to be truly accountable for security and privacy. Due to turnover and other demands on their job, in-house technical resources are often not ideal candidates to handle these vital issues.

Conflicting demands on their time can lead to the appearance of security without actual compliance (e.g. passwords that people share; lack of written procedures and standards). When they leave, small to mid-sized businesses are vulnerable, often for some time. Meanwhile, many IT vendors lack the infrastructure and expertise to adequately secure small to mid-sized businesses firm’s vital data and applications. Small to mid-sized businesses must stay on top of Computer Security and privacy issues, and be sure that they follow a consistent set of policies and procedures.

About the Author: Vladimir Petrov – Chief Technology Advisor


Permanent Link: