Secure information Featured

7:00pm EDT February 24, 2008

Fraud will never happen at your company, right? You have passwords, anti-virus software, even a dedicated IT staff that manages this portion of your business — so you’re not worried. But you should be.

This not-at-my-company approach to securing your information systems is downright dangerous, says Ron Schmittling, CPA, CITP, CISA, CIA, leader of Brown Smith Wallace LLC’s IT Security & Privacy Practice.

“Every organization has critical or sensitive information, whether financial information, trade secrets, intellectual property or confidential employee data,” he says.

This accessible digital information is stored electronically, leaving it vulnerable to hackers, viruses and even your own employees.

Smart Business spoke with Schmittling about the challenges business owners face concerning information security.

Why aren’t businesses being protected?

First, there are a lot of myths surrounding information security, such as: ‘We are a simple company and not very high-tech,’ or ‘I trust my IT group to know what needs to be done,’ or ‘My outsourced provider takes care of that stuff.’ Most companies are not as secure as they think they are. At the other end of the spectrum are companies that look for security products rather than developing a process. They purchase software, layering several programs with the mindset that more is better. But without a well-defined system, these companies could actually create more security ‘holes.’ For all these reasons, managers should develop a process for securing data. Information is the lifeblood of any business. Therefore, securing that information is a senior management issue and not just another job for the IT department.

How does security affect the bottom line?

Many companies fail to understand how information security will help their profit margins because security is not tangible. It isn’t tied in neatly to the linear cost and profit concept. But, in fact, security affects businesses in ways they never expected. Business activity can be disrupted, resulting in lost time and angry customers. Privacy can be violated, which will erode customer trust. Reputations can be damaged, spoiling future opportunities. On a more direct level, financial information that is not secure puts companies at serious risk for fraud or espionage.

What’s the first step to addressing security?

From a bottom-line perspective, there are four key points to remember when developing an information security system. One, start with a top-down approach, involving business managers, to find out what areas of the business contain security ‘holes.’ Two, adopt a 24-7-security attitude. Protecting your systems should be top-of-mind all the time, not just before an annual security audit. Three, enlist experienced security personnel, either in-house or through a third party, who can help you develop a tight system based on your company’s vulnerabilities. Four, constantly re-evaluate your system, via independent penetration tests and vulnerability assessments, and then tweak it to accommodate your changing business.

What issues should business owners address to secure their information?

It is critical to consider confidentiality, integrity and availability of information. Confidentiality involves enforcing a necessary level of secrecy at every data-processing juncture to prevent unauthorized individuals from accessing your data. Integrity refers to the accuracy and reliability of the information your system provides. Information should be protected from unauthorized changes to ensure the users can rely on it. Availability concerns ensuring data is accessible when requested. By addressing these three issues, your business can reduce its risk of various information attacks, which can be placed into four categories: one, criminal attacks like identify theft, ‘phishing’ and theft of information or intellectual property; two, destructive attacks such as denial of service, cyber terrorists and employees who are trying to harm your business; three, ‘explorers’ who hack for fun; and four, in the worst-case scenario, your business may be subject to espionage if competitors can mine your data for trade secrets and valuable information.

How can vulnerabilities be managed?

We’re more vulnerable today than ever, but security spending accounts for less than 10 percent of most companies’ IT budgets. An information security policy should be in writing — a ‘tone at the top’ policy that trickles down through the organization.

Start by defining what systems you currently have in place. What information do you need to protect? Next, consider physical security. What are you doing to protect yourself from people walking up to your business and collecting information? Where do servers reside, and are they well protected? What about your desktop environment? Next, implement user-access controls like user IDs and passwords, user agreements and acceptable-use policies. Enforce access to your systems with network protection like firewalls and system log-on interfaces. Finally, monitor the compliance of your plan. How is it working? You may enlist a third party to run penetration and vulnerability tests, essentially checking how easy it is to break into your system without actually breaching your security. Your system won’t be put into place overnight — but you should set goals and work toward constantly improving your security. No business can afford to ignore it.

RON SCHMITTLING, CPA, CITP, CISA, CIA, leads Brown Smith Wallace LLC’s IT Security & Privacy Practice in St. Louis. Reach him at or (314) 983-1398.