Why and How to Implement an Information Security Program as a Small Business

Introduction

Having a defined information security program is no longer reserved for government, military, technology companies, or high profile big business. Small businesses of all types are finding that properly managing information security is becoming an essential part of profitability and competitiveness.

As we'll explore below, though, information security isn't something you simply add to your business, the way you added an HR manager or marketing department when your company got big enough. It only works if it becomes part of your company's core operations and culture. This means you need an expert dedicated to the task.

Information Security is Becoming the Norm

Until the recent past, only certain business felt outside pressure to implement a formal information security program. New laws and business practices, however, are changing that.

Much of the pressure comes from government, and this isn't particularly new.

All companies in the healthcare industry, for example, have for decades faced penalties under federal law (HIPAA, 1996) for privacy breaches or other mishandling of data, so going without an information security program is a tremendously bad idea in that field. After the destruction of the World Trade Center in 2001 that wiped many businesses out of existence, U.S. regulators created new rules effectively requiring companies whose operations have a significant impact on the economy, such as those involved in financial services and securities, to implement formal information security, disaster recovery, and business continuity programs.

This isn't limited to specific industries or business sizes, however, nor is it always the government compelling it.

Auditors are concerned

"Did you just say you have no Information Security Program?"

Legislation that takes effect in California in 2020 may give customers and potential customers broad control over the data kept on them by many types of businesses, with civil penalties for companies unable to comply due to lack of information security. And any company that processes credit cards for payment is contractually obligated to comply with PCI-DSS, a set of information security standards established by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB). It's not a law, but your contract with your card processor most certainly calls for monetary penalties if your IT system and practices don't comply, which can be in the thousands if there is a breach traced back to your company.

Finally, financial auditors are increasingly investigating the maturity of a company's information security program, regardless of the company type. A company with little or no information security cannot assure its financial reports are accurate or that it is able to detect or prevent fraud.

As a result, not having any kind of information security program means your business is now an outlier.

To get started, an information security program needs only a commitment from top management and a charter designating a professional to see it through its stages:

  • Development, including establishing goals and risk tolerance, evaluating your current condition, and building a plan;
  • Implementation of the plan in the form of policies, procedures, and controls;
  • Evaluation, which involves defining and refining key performance indicators, as well as testing of controls and rehearsals of incident response plans; and
  • Adjustment and maintenance of the plan, which continues for the life of your business.

It can be tough to kick it off, though, since all this appears to create expenses only and no revenue. But, consider the expected costs of implementation and maintenance, and compare those to:

  • The costs of lost productivity when data can't be found;
  • Employees losing confidence in your company when they observe that data and user accounts aren't kept confidential;
  • The administrative cost of a piecemeal approach to managing security and a lack of coordination between departments in information sharing.

How much could this be impacting your profitability and competitiveness? And we haven't even mentioned the increased risk of a disastrous data breach, data loss, or system outage event.

The sooner you start, the better will be your investment. Each time you add new products, services, employees, equipment, locations, or research tasks without a foundational information security plan, you create more work and disruption retroactively integrating information security into those assets, falling farther behind your competition. This is especially critical if you're engaged in any kind of software development, which has a unique set of vulnerabilities to address, and particularly if new features are continually being added to your public-facing apps.

Information Security Must Be Part of Your Culture

This isn't only about data breaches (although these kinds of events often make the news), or so much about your competitors or even insiders accessing your confidential information. More importantly, information security is about control of your data—defining where your data is supposed to be; knowing where the data is so those who need it can find it; preventing it from being duplicated to cause inefficiencies or moved to create improper exposure; and assigning data owners and holding them responsible for managing it. Until this is achieved, you can't expect to meet your business objectives for security, such as keeping your financial data confidental, preventing departing employees from taking your client database, or complying with PCI-DSS. All of this requires an attitude change, where all employees understand that your rules for data control are as important as their regular operational tasks, and all employees have the guidance, tools, and support from their managers to make it happen.

Members of the military keep the secrecy of operations, capabilities, and intelligence in mind in everything they do, because their lives may depend on it. Information security for a business might not be as high-stakes, but should start with the same concept, carried to the extent necessary depending on the company's risk tolerance.

Secure office

Imagine Company A where people are not accustomed to seeing each other's files without special effort by the file owner to share the file with a specific person, no one uses personally owned devices to access company data, people lock their computers when stepping away from their desks, and only key personnel have administrative passwords to the IT systems. If someone leaves his computer unlocked while away, he sticks out to his co-workers like a man walking on Fifth Avenue in 1930 without a hat. Or if someone posts a file to online storage for her convenience, the others look at her the same as if she were seen with client folders in her car. Compare this to Company B where everyone uses their own laptops and tablets that are frequently left unattended during the day and taken home at night, files are saved on these mobile devices and e-mailed back-and-forth or posted in various cloud file sharing services, the main company file share is loaded with everyone's files, and no one really knows how many people have the administrator password to the website or e-mail system. If yours is anything like Company B, how can you get to be like Company A?

The security culture is also one of the most effective means for mitigating the insider threat, including both malicious and accidental exposure or corruption of data. If following security procedures is seen as the norm instead of a burden, then when someone asks for access to another user's account or files, the person making that request will be seen as unfairly imposing on others to deviate from their practices, reducing social pressure on his peers to violate the rules on his behalf. Until this attitude is fully developed at your company, then such a request will be accomodated by someone who views helping his co-worker as more important than adhering to policies. And one of the best ways to develop this is by having an information security program that establishes proper procedures for data access, training for users so they know the procedures, and, most importantly, ensuring that everyone, including all upper management, follows the policies conspicuously.

Information Security Has to be Managed by an Expert

In the construction industry, a good project manager knows how to review specifications provided by the architect and structural engineers, and manage resources to ensure the work is done correctly while meeting time and budget targets. The carpenters, drywallers, roofers, mechanical engineers, crane operators, electricians, plumbers, painters, and glaziers are experts in the work the manager requires. While they may work more slowly than planned or run into unexpected problems, everyone is working towards the same goal: to complete the project to specification, on time, and within the budget.

Secure office

In contrast, to implement an information security program, all of your users must follow the procedures and work around controls established by the program. These tasks are in addition to, and may conflict with, their regular job tasks and objectives. This is why having a dedicated professional to manage the information security program, working in conjunction with departmental managers, is essential in developing policies and procedures of the program that will meet information security goals without impacting the department's work, and to provide the cross-departmental information needed by upper management to resolve conflicts in alignment with the company's objectives.

Your information security program only needs to be as complicated and involved as your business requires. However, it should not involve simply issuing directives to your CIO or IT manager to implement security controls. Information security is not a departmental task; it must involve every aspect of your operations to become part of your company's culture, and this is best guided by an information security program manager.

Epilogue

When you take control of your data, you can minimize the risk of breaches and loss, and maximize availability of data and applications by avoiding IT system downtime. This is an ongoing process that requires participation and understanding by your entire workforce and partners, and managerial attention best delegated to an experienced professional to stay up-to-date to ensure threats and vulnerabilities are understood as they change, and controls in place are working. When fully mature, your information security program will become part of your business culture, forever relieving you of the costs and impediments to competitiveness of your former piecemeal approach. And until your company has achieved this, it will be an outlier in our modern age.

To get started, contact J.D. Fox Exec today.