Seven Steps to Improve Small Business Data Security

Friday, January 14, 2011

Danny Lieberman

959779642e6e758563e80b5d83150a9f

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant kool aid (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise

Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours.

That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list

There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ”grosse augen” (literally big eyes) when we would pile too much food on our plates.

Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  

It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive

If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant and discuss how much the designs are worth to the business in dollars.

In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  

If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards

I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data.

It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners

Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet

Awareness is great but like Andy Grove said – “A little fear in the workplace is not necessarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling

By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  

After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant.

While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Cross-posted from Israeli Software

Possibly Related Articles:
15422
Network->General
Compliance Small Business Intellectual Property Consulting Vendor Management PII
Post Rating I Like this!
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili Nice post, Danny.

I'd change the title from small business to medium-to-large business. I suspect that security is not even on the radar for most small businesses (at least until they are hacked and it’s still only about damage control and business operations recovery).

I'm also adding that companies need to determine what’s their most important data and where it lives. From there, establish measures to protect that data.

I also suggest following a risk management approach to help prioritize security activities. No matter what size a company is, almost every security team is under-staffed. Setting security organization priorities based on risk helps uniformly prioritize security activities and assess risks and countermeasures.

Thanks,

Phil Agcaoili
1295840248
959779642e6e758563e80b5d83150a9f
Danny Lieberman Phil
I agree - the original title was SME - small - mid sized enterprise - having said that, a risk management approach relevance depends not only on the size of the business ( a company that buys and sells will probably be at least 150 employees before risk mgmt kicks in) but SMEs with intellectual property developing products will benefit from this approach as applied to their PRODUCT and not their OPERATION starting from even 5 employees
1295846380
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.