Most sensitive information — including files on products, customers, suppliers and employees — are now kept digitally. But keeping these files well protected from unauthorized eyes, yet allowing the information to be accessed by employees is a double-edged sword, says Sassan S. Hejazi, director of technology solutions for Kreischer Miller, an accounting and business advisory firm based in Horsham, PA.
Smart Business spoke with Hejazi about the importance of keeping information secure and the steps a business can take to ensure that its information does not end up in the wrong hands.
Why is IT security necessary?
Information is a competitive weapon that needs to be safeguarded. Companies invest heavily in gathering and managing the information. To be able to harness that information is a source of power. The technology available today allows for greater ease of accessing information, yet creates greater security risks as well.
For example, if a salesperson leaves your company, is there anything to stop him or her from buying a $20 memory stick and downloading all critical files from your company — equivalent to dozens of filing cabinets — and walking out the door? Companies must have a keen awareness of how information security can be breached and take steps to prevent it.
What kind of information needs to be protected and against whom?
What needs to be protected is any kind of word processing document, e-mails, financial information, business plans, employee information, earnings, payroll, customer files (such as what they buy and how much they spend) and supplier information.
Most IT problems happen within the boundaries of the organization. One drastic example of this is when gang members in Los Angeles obtained part-time jobs in telemarketing companies and had access to all kinds of lists and information. All the customer information — including social security and credit card numbers — (was) downloaded onto CDs and sold to third parties.
What steps can a business take to make sure its information systems are secure?
Your employees are on the computer every day where new viruses and threats are continually introduced to the Internet. The very first step is to make sure, from a technical standpoint, that all computers and software are up-to-date with the latest patches, virus management downloads, firewalls and spam management. Many subscriptions and services can do this automatically.
The second step is to educate employees about company policies and procedures in regard to IT security — that is, what is acceptable and not acceptable. For example, can they install applications? What Web sites are they not allowed to visit? What employees can — and can’t — download from the Internet? This needs to be in writing, with the ramifications of violating these policies clearly stated.
Next, you need to verify that the policies and procedures are being honored by your employees. There are services available to periodically monitor what users are doing — and alert you to potential security violations, such as anyone downloading or saving large files.
Larger companies, such as banks, monitor employees’ usage on a daily basis. But you don’t have to get carried away with this. Periodically, perhaps once a quarter, look at the scope of activities of your users ... but how often you look at this will depend on the type of company you run, since no one size fits all when it comes to monitoring.
What are the downsides of having a secure IT system?
With tighter IT security comes a level of user inconvenience. One example is requiring periodic password changes — periodic changes lesson the possibility of others discovering protected passwords. IT security always creates minor user inconvenience, but if users are aware of the implications if policies are not followed, and the business enforces its policies, IT security has a higher chance of success.
What can a company do if its IT security has been violated?
A company must have a disaster recovery plan of action in case information integrity has been violated. Business owners not only need a plan to retrieve the lost information but a strategy to communicate with employees and customers about what has happened.
Also, comprehensive backups, which are tested and stored somewhere off your site, are a necessity. This is all the responsibility of the business owner. Your best course of action is to talk to your IT adviser and make sure you have a plan of action for any worst-case scenarios.
Sassan S. Hejazi is the director of technology solutions for Kreischer Miller, an accounting and business advisory firm based in Horsham, PA. He is also on the faculty of Management Systems at Arcadia University of PA. Reach Hejazi at firstname.lastname@example.org or (215) 441-4600, ext. 200