Information Security for Small and Medium-Sized Businesses

This article is part one in a twelve-part series on information security fundamentals for small and medium-sized businesses.

Thanks to the Internet, small and medium-sized businesses can now participate in the global marketplace. We can reach customers around the world 24/7/365. We can even elect to replace our brick and mortar storefronts with ecommerce websites.

However, this marketplace is rife with risks. Competitors can remotely attempt to steal your intellectual property. Thieves can remotely attempt to steal your customers’ personally identifiable information. Criminals can launch denial of service attacks against your website, taking your storefront offline. The unfortunate truth is that any one of these could be a business-ending event.

Businesses with staying power understand the need for information security. What most SMBs don’t realize is that the same principles that apply to multibillion dollar global conglomerates also apply to SMBs with a dozen employees and an online presence. It’s just a matter of scale.

Jerod Brennen

But where do we start? Easy: we start with a framework.

Simply put, a framework provides structure. Chances are that you already have one or more frameworks in place for your business. You have structure for accounts payable and accounts receivable. You have structure for employee onboarding, payroll, and separations processes. You have rules that you follow to keep your business running smoothly, and the same concepts apply to information security.

The International Standards Organization has defined a set of twelve essential security management categories that every business should implement:

  • • Risk Management
  • • Policy Management
  • • Security Organization Management
  • • Asset Management
  • • Human Resources Security Management
  • • Physical Security Management
  • • Security Operations Management
  • • Access Management
  • • Information Security Systems Management
  • • Security Incident Management
  • • Business Continuity Management
  • • Compliance Management

This list might seem daunting, but it really isn’t. While some organizations may want to pursue formal ISO certification, all businesses can benefit by identifying and implementing the essential controls from each management category. This process can drastically improve your business’s ability to protect the confidentiality, integrity, and availability of your systems and your data. That, my friend, is what we like to refer to as a competitive advantage.

So where do we begin?

Let’s start with Security Organization Management.

Once you have your list of security management categories, you have a rough idea of what you need to do and of what security controls you need to implement and maintain. Now it’s time to ask the $64,000 question: Who’s going to do all this stuff?

An effective information security program starts at the top.

The very first thing your information security program needs is executive sponsorship. Someone at the top has to decide how important information security is to the business. When you assess your current information security control set, you’re likely to find gaps. Those gaps may require new headcount or new technologies, both of which come with a price. An executive is the right person to balance risk versus reward for any spending decisions.

Next, you need an information security steering committee. While the IT department may be responsible for managing these controls, it’s the business users who know firsthand how these controls will impact the users. If the security controls aren’t properly aligned with your business needs, those controls could be more damaging to your business’s bottom line than an actual attack.

Once the steering committee is in place, you need an information security team. This could be a team of full-time security professionals, of security-minded system administrators, an army of one, or even a third-party service provider. Similar to the global marketplace, the information security landscape is constantly changing. You need professionals who understand that landscape and can help you course correct to stay ahead of the risks.

Finally, you need to keep an eye on third-party security. Just because you’re doing the right thing doesn’t mean that the same holds true for your partners or your vendors.

For example, do you use Dropbox for business purposes? What was the impact to your company when Dropbox passwords were optional for four hours? How forgiving will your customers be when they find out that their private information was made public thanks to the third party that you trusted with their data?

To recap, you should start by addressing Security Organization Management. Specifically, you should implement these four controls:

  • • Executive Sponsorship
  • • Information Security Steering Committee
  • • Information Security Team
  • • Third Party Security

In the next article, we’ll dive into Risk Management.