When most people think of information security, they think of hackers, computer viruses and the theft of account data or credit card details. While it’s true that these issues are related to information security, they are just one small part of the equation. As a business owner, you should consider all of the information that your business handles – in every form.
What is Information Security for Businesses?
Information security involves far more than just IT security. Information security relates to the security of all of your company’s “Information Assets”, in paper and electronic form, as well as information that is passed on verbally. Those assets include:
- Accounts
- Client and supplier details
- Personnel information
- Proprietary information – e.g. recipes, source code, manufacturing techniques
Information security involves three key things – ensuring that the information your business relies on is:
- Accessible only by authorized persons
- Protected from malicious or accidental changes which may reduce the accuracy of the information
- Always accessible
Protecting Your Company’s Information
When most people think of information security, the first thing that comes to mind is access control – be that locking the filing cabinet which contains all of your employee records, or installing a good firewall on your server. Access control is important, but even systems with good security can be compromised. For this reason, you should add additional elements to your security policy, for example:
Deterrents –
have disciplinary procedures in place to discourage employees from sharing sensitive information. Log who makes changes to your databases, and keep revision records so that you can re-train or reprimand anyone who makes incorrect changes.
Detection –
use intrusion detection systems to protect your servers, and set your systems up to flag access attempts from unusual IP addresses as well as any attempts to delete records, place unusually large orders or otherwise update data in a way that deviates from normal behavior.
Recover –
have a system in place which allows you to respond to security breaches quickly and effectively. Your plan should include a way to recover any damaged data, as well as procedures for identifying the source of the breach, informing anyone who may be affected by the breach and improving your security.
Getting Started
If your company is not primarily IT focused, then the world of information security may seem quite confusing to you. The good news is that once your information security policies are set up, you should not have to worry about them on a day-to-day basis. The ISO/IEC 27002 is a good starting point for best security practices.
Consider taking a training course from security professionals such as QT&C, or bringing in a third party to help you set up some security systems. If you decide to outsource information security management, consider a long term plan where the provider manages security patches and updates so that your systems are always as secure as possible.
Once you have your basic security measures in place, using them should become second nature. However, it is important to regularly review and revise your security policies, especially if your company grows or you experience some major personnel changes.
This guide was provided by QT&C who specialise in information security courses and data protection act training for businesses.
