CMMI® Level 3 Rated
Skip Navigation Links
Skip Navigation Links.
Newsroom

March 1, 2008 -- Protecting your technology and your business

Simple steps to a strong IT security program

By Justin St. Clair
Published in the St. Louis Small Business Monthly

A laptop with unsecured company information goes missing on a business trip. An employee gives out their network password, unknowingly putting your entire system at risk from hackers. Employees visit Web sites or engage in other activities with their work computers that could create any number of problems.

For many small business owners, it can seem like once the right technology for their company is in place, it creates as many headaches as it cured. But with an effective security policy in place, local experts say, it doesn’t have to be that way.

In just a few simple, relatively inexpensive steps, companies of all sizes can develop and implement a security program that will keep their equipment and their sensitive data safe, according to Robert Littlejohn, Manager of the Information Security Practice at The Newberry Group, Inc. and Rich Berry, a Senior Computer Security Systems Specialist at Newberry.

The Newberry Group, Inc. is a global IT consultancy based in St. Charles.

“For smaller organizations, first they’ll really want to look at any regulations they have to adhere to do,” says Berry, who has written security policies and headed security controls testing projects for federal agencies including the U.S. Department of Agriculture.

Different industries often have different sets of standards they must meet, regulated by government agencies or industry organizations.

“Then, you’ll want to do some form of risk assessment and analyze how these risks could impact your business,” Berry adds. “Identify your critical assets. If you lost it or if it was damaged, what could destroy your business? Use that as your guiding light to build your policy. All too often, I see that not being done first.”

The assessment can be done by a certified consultant or someone in house.

Once you know your risks and how they might affect your business, it’s time to create a security policy. There are many resources on the Internet for this stage as well, Littlejohn and Berry say.

One of the most important elements of the policy is an “acceptable use policy” that tells employees what they can and cannot do with the company’s equipment.

“That needs to be identified for the employees,” says Littlejohn, who has experience in information system security and accreditation at a variety of agencies, including the Kwajalein Missile Range. “The policy needs to be given to employees on their first day, but the training needs to be recurring, because you don’t retain the things that may be considered small stuff but are a big deal to the company. Security training should be a part of any organization, small or large.”

“The policy is also where you should outline what kind of protective measures you want to take with your equipment and your data,” Berry says. “All federal agencies, for instance, require that all data on their laptops is encrypted to keep it from being seen by anyone who isn’t supposed to see it.

“That’s a good idea for everyone. If you lose that laptop and somebody looks at that hard drive, it’s just nonsense to them. It’s a very effective way of dealing with that concern.”

Before enforcing your security policy, it’s important to have an attorney look at it, Littlejohn says, to make sure it’s enforceable.

“They should know what the employment law is and if the consequences named for not following the policy can be upheld. There may be things in there that violate local laws,” Littlejohn says. “It’s very important to get the attorney involved before you put this before your employees.”

If created and upheld properly – a process that includes regular assessments – an effective security program can mean even more than protection and peace of mind.

Companies that can show that their sensitive data and equipment are secure are more attractive to insurers, which can lead to financial benefits, according to Kevin Hemenway, Vice President of St. Louis-based insurance firm Welsch, Flatness & Lutz, Inc.

“Insurance carriers love to see a plan that’s in place and updated regularly,” Hemenway said. “It might make them more comfortable looking at other rates and discounts. It all depends on how the broker presents it.”

There are many resources on the Internet that can help companies get started on their security program, Littlejohn and Berry say. Businesses can download security assessment programs from reputable sources, find encryption programs and download templates to help build their security policy.

Breakout box 1:

Steps to security:
- Analyze risks and possible business impact of security breaches. This can be done in-house or by a certified contractor.
- Write a policy. Templates that can be tailored to your specific needs can be found for free on the Internet.
- Perform a legal review. Enlist the help of a lawyer to make sure your policy is enforceable.
- Train your workforce. Develop a security awareness training program based on your policy.

Breakout box 2:

Finding help
Small business owners can find lots of free assistance on the Internet for creating their own security policy. A good place to start, Littlejohn and Berry say, is the Sans Institute Web site, www.sans.org.