As an entrepreneur, I have spent the last three years speaking with small‐ and medium-sized business owners about risk and why they need to get serious about the security of their businesses. It continues to amaze me the number of business owners who make the following comments: “I’m not worried about it. I don’t have anything the hackers want.” Or, “I’m secure, I have a really good password.” And, “My business is too small to get hacked.”
The Target breach appears to have been a wakeup call, but there are still far too many who have not heeded the warning and are playing Russian hacker roulette with their businesses. It is easy to assume the state of breaches couldn’t be that bad and that most organizations are doing the right thing to keep information safe, but assumptions can be very bad. I have worked with organizations that use one password per computer and all employees know the password; most businesses I have worked with have NO security policies, and this includes organizations that are required by law to have these policies. Additionally, when it comes to organizations that are required to implement security as part of a law or regulation, the entire focus of the security is on being compliant, not on actually securing anything.
OK, enough of the doom and gloom. So what should business owners do? First of all, stop ignoring the problem — it’s not going away. All you have to do is read the news and you will see the report of another massive data breach just about every week, like the 1.2 billion usernames and passwords stolen recently. Make a plan and inventory what you have. Understand how data flows — who touches the information, both inside and outside of the organization — how it is secured, whether in-transit or sitting at rest on a server. Once you understand your organization, including the software and hardware you use, and how things are set up and configured, decide who is responsible for security. That may be you, someone in your organization or a person or company you hire or contract with. Regardless, you as the owner are responsible so do not hand the reins over and assume you can forget about it. Security is not a set-and-forget concept. Just as you should not hand over all of your accounting and bookkeeping tasks to one person without your oversight, you should not give one person, or a company, control of your security and not oversee it.
Finally, once you have figured out how security does or is going to work for your company, put it in writing and make sure employees know their individual responsibilities. Don’t simply ask some company to provide you the policies you need. Unfortunately too many of them will sell you a batch of canned policies that are not customized to your business and do nothing for you. Remember, security is a process, not a product. In order for a company to customize policies for your organization they must understand your organization. This involves interviews, discussions and getting to know the culture, flow and personality of the employees and overall business.