Recent stories about the many hacking attacks which have affected major retailers and other companies show that taking IT security seriously is an important consideration for all businesses.
Most small and medium businesses (SMBs) think that they are not to be too concerned about these issues as the hackers are only going to go after the big boys where there are lots of accounts to capture. The problem with this thinking is that while we hear mostly about the big accounts that are attacked the same tools, capabilities and potential for damage can easily be focused on smaller enterprises.
IT World Canada recently published a wake up for all retailers and focuses their comments on Canadian retailers especially. The articles sites examples where Canadian companies have been hacked and vulnerabilities have been found when their systems are examined. Luckily in most cases sensitive data has not been compromised but it could have been. Many of these security breaches do not become public since they do not involve loss of public data however this in itself may help lead to organizations assuming that all is ok.
Unfortunately, building a secure firewall, using top security tools on a network may not be enough.
Human errors
Often security breaches are caused by simple human failure. Users save passwords for easy access to important data sites on their local workstations. Passwords get shared to other users to facilitate access to information, assuming that they will not be used for unauthorized entry. Employees leave the organization and their credentials are not cleared and blocked leaving a potential for unauthorized entry in the future. Unfortunately, secure sites tend to be less user friendly to those who are supposed to use them and people find ways to make this less so. In doing so they inadvertently can open routes for nefarious entry.
Making sure that all of your users, both in-house and any guest users understand your security protocols and why they are needed can help to make your users allies instead of potential tools for hackers.
Control what is available
One of the key tools for controlling data breaches is to not make available online or even on a network data that is not needed. Often data gets stored in network systems that could easily be kept in off line storage as it is infrequently used. This can reduce the amount of data that must be managed daily and help the system cope with volumes. Of course much of what hackers are after is current data especially that which identifies people or organizations in ways that they could make use of the contact info. Building the right framework around this material is critical to protecting your information. Security specialists can help with this if you are not sure what steps to take.
In-house vs off site storage
Sometimes organizations determine that if they hold all their own data rather than store any in the cloud or off site storage they will inherently be more secure. This is not always true. Think about whether your money stored in your home without alarms, locked doors or secured windows would be more secure than if stored in a bank with its specialized security systems. The analogy holds true for electronic and physical data as well. If your systems have not be designed to be secure in your in-house setup either for electronic or paper held data, then your control may not be reliable. If you stored this information in an off site system with better protocols and tools it could be actually safer than when it is held in house. Of course the transit between the two locations can introduce a new vulnerability that must be considered.
In summary, IT and data security includes many components which take thought, understanding and effort to address. Given the costly instances of data integrity failure reported this year we all must be concerned about making sure the potential is addressed. Big or small businesses need to take the time and apply the effort to ensure they have adequate protections and systems in place. The potential cost of failure to do so can be considerable both in time loss and in reputation in the event there is a breach.