This article will continue the SMB/SOHO business owner or IT manager’s introduction to computer security. The entire series can be found here. Subscribe to the RSS feed if you find this valuable.
Usual disclaimer: I am not a lawyer and am not qualified to provide legal advice. Please talk to your lawyer for legal advice.
Why, with all the other things you have to worry about, would you concern yourself with computer security? The fact is you probably wouldn’t if you did not have a compelling reason. You might have to comply with PCI-DSS, or with HIPAA HITECH, or maybe you would like to do business with the government and you need to comply with FISMA. Or you maybe you recently learned that you are required to comply with one of the many state laws governing computer security.
Want to know the biggest reason you should care about computer security? It will help you stay in business.
Businesses that pay attention to computer security know where their data is, who has access to it, and they monitor access. They encrypt sensitive data, store it offsite, and they test that everything is working as planned. These businesses have a reasonable expectation that their data is safe and that they can recover from a disaster. In other words, they have lowered the probability that a computer security incident or disaster will put them out of business.
Avoiding Losses Through Disaster Planning
Computer security can help you survive a disaster like a flood, fire, or burglary. According to the SBA, 25% of small businesses don’t reopen after a disaster. How long can you afford to have your business closed due to data loss?
Remember the first article where I asked you to find out where your critical business data (customer information, financial information, contracts, device configuration, etc.) is stored? What did you find? Is it located in the office on one machine? Is it backed up, encrypted and stored offsite? Do you know if you can restore the data if necessary? Have you tried to restore it?
Avoiding Losses Through Compliance
You can avoid data and privacy breaches and avoid the fines and penalties that accompany them. You can lose important business data and not know it. Who has access to your data? Do you share passwords or leave the computer logged on? How many former employees, partners, spouses or significant others know that password? Do you or your employees email customer information home? Do you put it on a laptop or USB drive?
Any one of these common practices can lead to data loss, fines, penalties, and legal fees. What’s your budget for that? I’m guessing that most of you would go out of business if you had to pay these costs.
What is Computer Security Going to Cost
The answer depends on many factors. What are you required to do by law or industry mandate? What systems do you have in place? How many devices? Where is your data? How many people need access to your data and do they need to access it from outside the office?
This probably isn’t a do-it-yourself project unless you are in the computer security business. That means you’ll need to find someone to help you. There are many, many businesses that are happy to help you, and not all of them are reputable or qualified. Learn enough to ask good questions, and get referrals. Some security industry groups that can help you are (ISC)2, ISACA, ISSA, and SANS.
I hope that this introduction has helped you become more informed. I plan to continue with specific topics like hiring, security awareness, security policies, anti-virus, malware and other topics of interest to the SMB/SOHO business owner. In the meantime, please review this introduction to computer security and check out the links in each article.
Related Links
- Hacker’s New Target: Small Firms with Lax Security
- SBA Disaster Planning
- SANS Information Security Policy Templates
- How Not to Suck at Information Security
- SANS Top 20 Security Controls
