Information is the lifeblood of all businesses, but many business owners and high level managers often overlook the security of their business information to focus on what they consider more important; “the generation of revenue.” Many even know the risk well in advance but take on the mentality, “It will never happen to us.” Then the inevitable happens.
Experience has proven that the disregard for the protection of business information is disastrous. The smallest vulnerability in a business’s Information Security System (ISS) can and does cause businesses thousands, even millions of dollars in financial loss everyday. Experts have found that in the majority of the cases involving “loss” from the theft of information that the business owner(s) or managers were aware that potential breaches existed and did nothing to correct the issue. Experts also point out that in 99% of the cases that the cost to fix the breach would have been thousands to millions of dollars cheaper then the loss the business sustained from the breach itself.
According to “Trends in Proprietary Loss” (ASIS International, 2007) these are the top 5 reasons businesses of all sizes should have an active and progressive Information Security System (ISS) and Information Security Management System (ISMS) in place.
- Loss of reputation/image/goodwill – Taking a hit in the pocket could be bad but not as half as bad as taking a hit to your reputation. Many business can rebound from loss of revenue but repairing your business reputation can cost astronomical time, effort and money. The implications are overwhelming in most cases.
- Loss of competitive advantage in one product/service – When you have been working feverishly to stay ahead of the game but your competitor beats you to the finish line every time, “There’s a hole in your boat.” The leaking of trade secrets, product delivery timelines and other business processes can completely derail a business and destroy its competitive advantage.” In 2006 there was a well known case of information theft concerning an employee from a major beverage. That employee stole trade information and conspired to sell it to another beverage company for 1.5 million dollars.The employee was arrested after the competitor turned her in.
- Reduced of projected/anticipated returns or profitability – This can occur when your competitor knows your pricing strategy. If they’re selling the same type of product or service as your business they can, and will easily outprice you.
- Loss of core business technology or process – A quick Google search will give you some insight on how businesses lose billions in the process when technology is leaked or stolen. The case of the drawn out and costly battle of the “Cell Phone Giants” comes to mind. Do a Google search about it. There are some really insightful facts that you may not have known about the case.
- Loss of competitive advantage in multiple products/services
All of the above are sound reasons while your business should have an active information security policy. I am of the opinion that any business that regularly loses money and fails to implement processes to stop it,will soon be out of business. Therefore, I encourage all business managers, executives and owners to take the protection of their information seriously. Make time to review your current information security processes and policy with your security manager. Listen to his/her concerns and recommendations. After all that is what you hired him/her for. Concentrate on making your security a “Necessary good” instead of a “Necessary evil” and dedicate a reasonable but flexible budget to immediately address new or unexpected security threats. It could truly save you a life of headaches, court battles and money in the end.
Below are a few recommendations that I believe will help any business to begin improving their information security process. It will also help to improve overall security in general.
Recommendations
- Ensure that sensitive information is only accessible to a small group of people based on a need to know basis. This information is to be kept in a secure area with progressive and redundant security measures.
- The first level of security can be posted signage that designates the level of authorization required to be in specific areas. These signs should also advise the consequences for ignoring them.
- The second level of security may include CCTV cameras which are manned or unmanned (but have the ability to be reviewed later). Cameras serve as a good method to detect, deter and in some cases respond to nefarious behavior.
- The third level of security mandates designated key cards or key fobs to enter restricted areas. This authorization can also be indicated by color coded ID badges. A security checkpoint guarded by trained security officers is also an option.
- The fourth level of security concerns areas where the most sensitive information is held. This area should include CCTV cameras, locked file cabinets and safes. This should be supported by a well written Information Protection Policy created in partnership with an experienced security professional and it should be strictly adhered to.
- Lastly, a schedule for audit and compliance should be instituted and a designated person appointed the responsibility for its oversight. This recommendation has more to do with Information Security Management, which I will discuss in a later topic.
General Information Security Practices
The preceding concerned security strategies for highly sensitive information however, we must not overlook the need for the security of general business information. Information comes in many forms and businesses must protect them all. Here are a few more tips that I recommend to improve your current Information Security Policy:
- Ensure that all documents that contain personal, personnel and company information are always kept secure. This information should never be left lying around on someone’s desk or in their inbox. Always keep this type of information under lock and key and designate a person to ensure strict accountability.
- Ensure that you have a information security policy in place and share it with your entire staff. This policy should include how to file or discard company information.
- Ensure that your company has a shredder and include shredding regulations (what should be shredded, when and by whom) into your policy.
- Always ensure that someone in your organization stays abreast of current cyber threats. This person is normally the head of the IT department or your security manager. He/she should also ensure that your anti-virus and firewall systems are regularly updated and tested. If your company does not have a dedicated IT department of manager it wouldn’t hurt to consult with an IT Security firm to get a check-up.
- Ensure that your Information Protection policy includes regulations pertaining to thumb drives and portable hard drives. The policy should clearly state what information can be saved or uploaded from and to the devices. Also consult with your IT department to disable the USB ports on your computers and networks if necessary.
- Finally, every business should have a Non-Disclosure Agreement. NDAs set the expectations for your employees as it pertains to the privacy of your business affairs, processes and materials. It also provides the recourse for violating the policy. Sample NDAs can be found on the web, but I recommend consulting with your attorney to ensure that your NDA provides you and your business optimum protection.
That about sums it up. I believe that by implementing these strategies that every business can improve the protection of their information and reduce the chances of suffering financial loss. In many cases you may even increase your profitability, which is why we are all in business anyway. I hope that you found this information valuable. Never underestimate what a solid Information Security Program can do for you.
Thanks for reading and I hope that these quick security tips help to kick start or rekindle your Information Security Program.
Author: Melvin E. Key, CPP