Any business that uses computers and connects to the Internet is at risk for a security breach. And if your business stores sensitive or personal information, your risk is even greater, says John Peckham, executive vice president/information systems at Bridge Bank.
“Information and systems can be the lifeblood of an organization, and one security event could put you out of business,” says Peckham. “It behooves every business owner to be aware of that.”
Smart Business spoke with Peckham about how to keep your proprietary information and data secure, and how to test the integrity of your information systems.
What should businesses be doing to keep their proprietary information and data secure?
Start with a risk assessment, which will help you understand where your risks are and where you need to focus your attention and resources. A company should focus on its critical assets first. If a company has a lot of intellectual property, that might be the place to start. If it maintains a lot of customer information, particularly confidential customer information, start there.
A business owner may be able to do this internally, but unless it’s a small company, it is wise to get multiple people or departments involved. Owners can gain a lot of insight by speaking with other people in the organization.
Stick to the basics, make sure your policies and procedures are in place and effective, know where your data is and who has access to it, keep things up to date and test your backups — these are all tried and true basics of information security.
How are personal devices posing a security challenge to the IT departments of mid-sized companies?
Companies are seeing an influx of consumer devices in corporate IT, and use of mobile devices is on the rise. Organizations need to think about how these devices fit into their IT strategy. Is it something that you are concerned about, or is it something you want to find ways to embrace?
You have to think about how personal devices play into your security structure, particularly when employees use their own devices to access corporate resources, e-mail, applications and file sharing, especially when sensitive information is involved.
What happens if one of those devices is lost or stolen, or an employee leaves the organization? Every organization needs to look at how it uses technology within the business and make decisions about what is going to be permitted and what is not. It goes back to the risk assessment, and developing policies and procedures around that. If employees are using their iPhones to connect to the corporate Exchange (e-mail) service, a business might want to install security policies on that device that causes data to be wiped from it when the wrong access codes are entered too many times, or when the device is reported lost or stolen.
Employee awareness around this issue is crucial. It is incumbent upon a business to educate employees and make them aware of concerns about the use of technology from a security perspective. It sounds basic, but simple things like reminding employees not to click on links in e-mails that they were not expecting can have a huge impact on your organization’s security.
How should companies test the integrity of their information systems?
Organizations are best served by using an independent third party that specializes in that type of work. There is no substitute for that independence and expertise in terms of doing true testing.
To find the right firm for your needs, start with the key platforms and the policies and procedures that you want to test, and look for a service provider with experience in those areas. Or identify a service provider that has expertise and experience in your industry. In any case, be sure to check the service providers’ references.
What are the common missteps that businesses make when building their information networks?
Not conducting adequate due diligence. With technology, there’s a tendency to ‘focus on the shiny object,’ something that looks really cool. They think, ‘This is the latest and greatest thing. I see everyone else doing it, so now we’re going to get it.’ But how does it really fit into your organization? Is it something that you really need? Is it something that’s going to integrate with everything else that you have? Or is it going to be a disparate system that sits on an island by itself?
You need to spend a lot of time in the due diligence phase when you’re looking at new technologies, new systems, or new service providers. Look at things like how long the provider has been in business. Do they have the financial and operational wherewithal to stay in business long term? Is the new technology going to fit well into your existing infrastructure? Is it something you can integrate, and can you do it in a secure and efficient manner? You need to look at those things, or you may end up with a system that is implemented but never utilized because it really wasn’t thought all the way through.
Another mistake is failing to train sufficiently. New things are just that — new — and it’s not uncommon for a business to implement something and just give it to employees and expect them to pick it up. And that can be a long and frustrating process for both the business owner and the employees. A good training program that’s part of the implementation can go a long way in reducing the learning curve and the amount of time it takes for that technology to become a useful and meaningful part of the organization.
John Peckham is executive vice president/information systems at Bridge Bank. Reach him at John.Peckham@bridgebank.com or (408) 556-8309.