Fraud will never happen at your company, right? You have passwords, anti-virus software, even a dedicated IT staff that manages this portion of your business —
so you’re not worried. But you should be.
This not-at-my-company approach to
securing your information systems is downright dangerous, says Ron Schmittling, CPA,
CITP, CISA, CIA, leader of Brown Smith
Wallace LLC’s IT Security & Privacy Practice.
“Every organization has critical or sensitive
information, whether financial information,
trade secrets, intellectual property or confidential employee data,” he says.
This accessible digital information is stored
electronically, leaving it vulnerable to hackers, viruses and even your own employees.
Smart Business spoke with Schmittling
about the challenges business owners face
concerning information security.
Why aren’t businesses being protected?
First, there are a lot of myths surrounding
information security, such as: ‘We are a simple company and not very high-tech,’ or ‘I
trust my IT group to know what needs to be
done,’ or ‘My outsourced provider takes care
of that stuff.’ Most companies are not as
secure as they think they are. At the other
end of the spectrum are companies that look
for security products rather than developing
a process. They purchase software, layering
several programs with the mindset that more
is better. But without a well-defined system,
these companies could actually create more
security ‘holes.’ For all these reasons, managers should develop a process for securing
data. Information is the lifeblood of any business. Therefore, securing that information is
a senior management issue and not just
another job for the IT department.
How does security affect the bottom line?
Many companies fail to understand how
information security will help their profit
margins because security is not tangible. It
isn’t tied in neatly to the linear cost and profit concept. But, in fact, security affects businesses in ways they never expected.
Business activity can be disrupted, resulting
in lost time and angry customers. Privacy can
be violated, which will erode customer trust.
Reputations can be damaged, spoiling future opportunities. On a more direct level, financial information that is not secure puts companies at serious risk for fraud or espionage.
What’s the first step to addressing security?
From a bottom-line perspective, there are
four key points to remember when developing an information security system. One, start
with a top-down approach, involving business managers, to find out what areas of the
business contain security ‘holes.’ Two, adopt
a 24-7-security attitude. Protecting your systems should be top-of-mind all the time, not
just before an annual security audit. Three,
enlist experienced security personnel, either
in-house or through a third party, who can
help you develop a tight system based on
your company’s vulnerabilities. Four, constantly re-evaluate your system, via independent penetration tests and vulnerability
assessments, and then tweak it to accommodate your changing business.
What issues should business owners
address to secure their information?
It is critical to consider confidentiality,
integrity and availability of information.
Confidentiality involves enforcing a necessary level of secrecy at every data-processing juncture to prevent unauthorized individuals
from accessing your data. Integrity refers to
the accuracy and reliability of the information your system provides. Information
should be protected from unauthorized
changes to ensure the users can rely on it.
Availability concerns ensuring data is accessible when requested. By addressing these
three issues, your business can reduce its risk
of various information attacks, which can be
placed into four categories: one, criminal
attacks like identify theft, ‘phishing’ and theft
of information or intellectual property; two,
destructive attacks such as denial of service,
cyber terrorists and employees who are trying to harm your business; three, ‘explorers’
who hack for fun; and four, in the worst-case
scenario, your business may be subject to
espionage if competitors can mine your data
for trade secrets and valuable information.
How can vulnerabilities be managed?
We’re more vulnerable today than ever, but
security spending accounts for less than
10 percent of most companies’ IT budgets.
An information security policy should be in
writing — a ‘tone at the top’ policy that trickles down through the organization.
Start by defining what systems you currently have in place. What information do
you need to protect? Next, consider physical
security. What are you doing to protect yourself from people walking up to your business
and collecting information? Where do
servers reside, and are they well protected?
What about your desktop environment?
Next, implement user-access controls like
user IDs and passwords, user agreements
and acceptable-use policies. Enforce access
to your systems with network protection like
firewalls and system log-on interfaces.
Finally, monitor the compliance of your plan.
How is it working? You may enlist a third
party to run penetration and vulnerability
tests, essentially checking how easy it is to
break into your system without actually
breaching your security. Your system won’t
be put into place overnight — but you should
set goals and work toward constantly
improving your security. No business can
afford to ignore it.
RON SCHMITTLING, CPA, CITP, CISA, CIA, leads Brown Smith Wallace LLC’s IT Security & Privacy Practice in St. Louis. Reach him
at [email protected] or (314) 983-1398.