Posted by: Craig Mathias
IT security, security policy
Most businesses that I’ve discussed the issue with, large and small, do not have a written security policy, and I fund this truly stunning. Security, it seems, is all to often an afterthought, based on the assumption that, particularly in smaller firms, hackers and crackers won’t make the firm a target, and thus security tools, techniques, and procedures are like an expensive insurance policy. Why spend the money when the risk is low? And, really, to be fair, the risk is low, but it’s not low enough to prevent massive expense and loss of customer and client confidence and consequently revenue if one gets hit. Farpoint Group deals in information – if that information is compromised, we are likely out of business and in court. That would be bad.
So we have a security policy, and we use this to drive the systems and procedures to do the very best we can to protect our – and our client’s – information and IT assets. In principle, a security policy is simple – it defines what is to be secured, who should have access to secured (I like the term “sensitive” here) information and under what circumstances, and what to do in the event of a breach or suspected compromise of the data. No two security policies are identical. At Farpoint Group, for example, we treat all information as sensitive unless otherwise indicated. No sensitive information is made available to anyone without (a) a need to know, and (b) a Farpoint Group Confidential Disclosure Agreement in place. We keep all other information about specific systems and procedures confidential – there’s no point in waving a red flag in front of a hacker. We maintain a fairly low profile and, again, are as careful as we can be. The business depends upon this. It’s critical.
Unfortunately, when it comes to security, you’re never done. Each new day brings a potential new threat, and you need to keep up to date on both problems and solutions. This is a big challenge for small, non-IT businesses. You may want to hire a consultant to get your initial security policy and corresponding systems and procedures in place, but also for periodical updates and changes. But no matter how you proceed, keep security at the top of your IT list. If a network, wired or wireless, isn’t secure, it’s not really a network – it’s an invitation to disaster.