How to Assess the Information Security of a Small or Medium Business
What is the most important aspect for a business?
It is information.
Information about people, products, projects, etc.
But bad things can happen.
Ransomware. Viruses. Internal risks.
They can all happen to your company: attack your IT, steal / delete your information and affect your business.
So, how do you assess the risks of losing money because of information?
Not all the entrepreneurs or managers of Small / Medium Businesses (SMBs) have time to learn IT and understand their current data status: what information your business has, where it is located, who has access to it and so on.
To help Small and Medium Business owners or managers, I will share some tips and steps that you can follow for an initial Information Security assessment.
Start by setting 3 simple criteria:
«Only those who need access to information to do their jobs should have access to it.»
«The information hasn’t been manipulated with / deleted by those who shouldn’t have had access to it.»
«The information is available when it’s needed.»
You can follow the 3 criteria by using some matrix models.
Now you have classified and assessed your information.
What is next?
Avoiding leakage of information, wrong editing, losing saved files, etc.
How can you do it?
You can do so by choosing the right protection for your information.
And the steps are:
- Categorize the types of information
- What kind of information to protect
- Losses due to lack of protection
Examples of categories: payroll information, confidential business research, business plans, financial information, etc.
Examples of protections: in-house, outsourced, manually, automatically, etc.
Examples of losses considerations: lost work, legal costs, fines / penalties, reparation costs, loss of reputation / trust.
Each business is very specific and the above simple steps are meant to be a starter for your company: classify, assess and protect.
They are also a stress test for your current IT team: a lot of IT people are great at managing the information for their companies.
If you have an IT team / IT person / IT outsourced team, you can talk with them about the security of your information and data. Good IT people will be able to provide it to you immediately and you can assess your information security status.
So you can focus on your business with less concerns about your information security.
Written by Ervis Micukaj