Information Security for the Small Business

 ALAN FRASER

 

 

My contention is that every business, even the sole trader with one PC working from home, needs to take account of the key measures required to create the necessary security for its information. There's no need for the formal Risk Analysis required by large organisations - common-sense will tell you what you need to do.

If you write down even a basic policy with a few principles it will help you to decide what you need to do to protect your priceless business information and the equipment you use to process it and run your business. You can find an IT Security Policy for a bigger company here.

Make an inventory of your business assets and keep it up-to-date. Also keep a copy in a safe place away from your work premises - you may need it in a emergency, see Business Continuity Planning below.

See the page on preventing PC and office equipment theft here.

Your PC is just as critical to you than a mainframe computer is to a large business! One area of risk is the exploitation of Microsoft software weaknesses by hackers, so you should ensure your Windows and Office software is kept up-to-date by installing the security patches released by Microsoft as soon as they appear. Never install patches that are sent to you by email - these are viruses or Trojans. Get Microsoft patches only from their web-site as part of their Windows Update program . PCs can usually be set to update themselves automatically.

Set up every PC you own to require a password for each user. However, there are password cracker programs that can easily break a simple password - create a strong password using upper and lower case letters, numbers and even special characters. However, don't write the password down unless you keep the reminder safe in a place such as your wallet or purse. A Post-It note stuck under the keyboard is just too easy to find!

If you have staff who use email and access the Internet you must have an acceptable use policy - see Email and Internet Abuse.

You probably use spreadsheets and maybe databases that you've developed yourself. Take time out to check all the formulae are correct so you don't make financial or other calculation errors, and also password-protect the files.

The situation is quite stark. Many companies who suffer a major incident such as a fire or a flood go out of business immediately. Around 70% go out of business within one year - even though they try to get going again and are covered by insurance, they never recover enough from the incident to stay in business. Simple rule: take regular back-ups of your precious company data. Copying files off your PC has never been so easy now that CD writers and blank CD-Rs are so cheap. Also, USB memory sticks can take up to 1Gb of data, and can be used on any PC without special software, just like a diskette in the old days! Then keep the backups and copies of paper records somewhere away from your primary place of business, at your accountants/book-keeper, at the bank, or even at a neighbour's or relative's home. If you rent a small office, keep your copy records at home. Alternatively, you can use an online service to backup your precious data over the Internet, such as this one: http://www.keepyourdatasafe.co.uk/ For a relatively small charge per year your critical data is backed up regularly, securely and confidentially in a manner that's transparent to you once it's been set up/

Some people have told me they can rely on the "Dunkirk spirit" to get themselves out of trouble. Trust me, it rarely works! People under stress in panic situations can't think of everything and don't always make the right decisions. Also, once your precious business information is lost, it can never be recovered, no matter how heroic or loyal your staff are. For more information, see the BCP page.

For a small trader this means finding out what types of security incident can affect you, and how you can protect yourself against it. The most likely are hardware failure, theft or fire. Sometimes even a small incident such as a PC hard disk crash can mean many vital records are lost. Even the simplest protection against theft can deter an opportunist thief.

Today almost all businesses will have broadband connection to the Internet, on all the time. Every single user of a PC that is Internet-connected needs anti-virus software, active all the time the PC is in use and kept permanently up-to-date. Most anti-virus software on sale today will check for updates either every time you connect to the Internet or once a day. Some of the stories I've heard about people who have lost years of work to computer viruses are really tragic. For the sake of a few pounds a year, don't let it happen to you. Using free anti-virus software occasionally to check your PCs isn't good enough - you must have software from a reputable company that updates itself.

Also, to protect your PC against hackers you need a firewall. Not only will they loot your PC, hackers are very clever at using unprotected PCs as agents to attack their own targets, completely unsuspected by their users. Some anti-virus software includes a personal firewall, but you can download ZoneAlarm for free from Zone Labs . If you install a firewall you must make sure that no-one has a modem or other means of Internet access that can bypass it.

No matter how small you are, you still have the obligation to treat business software vendors the way you'd want your customers to treat you. So don't use pirated software - you get no support, and it can even be virus-infected. Make sure all your software is properly licensed.

If you hold personal information about identifiable people in the course of your business, the Data Protection Act 1998 may apply to you! Even if you don't have to register as a "Data Controller", you must still comply with the requirements of the Act, to obtain personal information fairly, ensure it's accurate, keep it safe from authorised access/modification/disclosure, and to use it only for legitimate purposes of your business. See the Information Commissioner (formerly the Data Protection Registrar) web-site for more details: Many small traders use Microsoft Office tools such as Excel or Access to keep databases. These can be password-protected. However, if you keep a database of Contacts in an electronic mail program such as Microsoft Outlook it cannot be protected, and the PC must be protected by other means such as a logon password.

Note that when you keep the name of an individual contact (and data on them) solely in relation to their business because of their position, this is far less likely to be strictly construed by the Information Commissioner as personal data.  Such data does not focus on the individual but the business and the employee is merely a representative of his/her employers.

Other legislation that applies to you is:

Safeguarding of Organisational Records

A private limited company or even a sole trader needs to keep their organisational records safe. Many people working from home have no protection in cases of fire or burglary. Keep copies of the records away from your primary place of business as mentioned above.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.

© Jana Information Systems Services Limited, 2006