Recent years have led many small businesses owners to the understanding that when it comes to cyber security, being small does not mean you won’t be targeted. I’ve been in the IT industry for years, and more than ever before security is starting to become a priority felt by more than that IT geeks. But, having an effective security program in place within a small business takes more than a one-time meeting with the founder that leads to a policy document. Taking the intention of having a security program to the next step and effectively implementing it throughout the organization is one of the most common mistakes that we see.
Before you go through the implementation process, there are a few things I think you should know. While this list is not meant to be an exhaustive list of what should be taken into consideration when implementing a security program, these are mistakes that I have seen time and time again.
Remember Security is About More than Just IT
When you are preparing to implement your security program, make sure that the responsibilities around data security are not solely assigned to the IT department. While the IT guys will be responsible for a lot of the technical controls, they cannot do it all. Other users and groups have to be responsible for various aspects of the data security program to ensure that they will not attempt to get around the controls that are put in place.
Remember Your Employees are Not Security Professionals
One of the most common mistakes that we see is the assumption that once a security policy has been drafted and blasted to employees, they will simply know what to do. Sure, you may have one or two IT Security professionals on staff, but for the rest of your crew security policies will not be automatically understood from the get-go. It is vital that cyber security awareness training be completed before any program is fully implemented.
The More Transparency, the Better
Time and time again we have seen that management personnel who embrace questions from their employees regarding the purpose of the security program have a higher success rate. Creating an awareness campaign and implementing training protocols are important, sure. But if your employees don’t understand why your business-class filing system is more secure than their free system of choice, then they are likely to feel like the threat is something that doesn’t apply to them. And “because I said so” or “those are the guidelines deal with it” may get the job done but will likely lead to the employee harboring negative feelings about the program. When implementing information security program in a small business, it is important that you are prepared to have a lot of patience when it comes to answering questions and concerns with the various security guidelines.
Get Input from Multiple Sources When Drafting Security Policies
Different departments have different needs for information. While there are standards around how classify different types of data, you need to get input from the needs of your workers before you go limiting or restricting access. If your end users are unable to agree with the policies that you and the security team are attempting to implement, this can lead to scope creep and significant delays in getting the security program successfully implemented in your organization.
Incorporate Compliance Requirements from the Beginning
If your business is in an industry that is subjected to regulatory compliance requirements, do yourself a favor and make sure that these standards are incorporated into your policy from the beginning, not as an afterthought.
Have a Plan for What Success Should Look Like
This concept is simple enough, but for one reason or another its execution is often over looked. In order to know whether or not your security program is working, you need to have guidelines defined up front about your expectations. These guidelines should be concrete, don’t make them something with no tangible action like “pass our SOX compliance audit.” Have a reporting system and define what metrics you are going to use and how often they will be monitored.
Have a Strategy for On-Going Maintenance
I cannot tell you how many times we have gone in to a project with a company who’s security policy documentation is filled with users and systems which no longer exist or are in use. Security programs need to be regularly updated so that they can effectively protect the business. Systems, users, and threats need to be in line with the overall state that they company is currently operating in. Incorporating guidelines for how this should be handled up front will make it more likely that the security program will remain effective at protecting the organization.
Understand that Sometimes Outside Resources are Needed
Information security requires a deep understanding of modern threat landscapes as well as information systems and workflow processes. Bringing in the right resources to help you with security implementation can provide the “wide-angle lens” you need in order to get the results you want. Don’t be afraid to bring in a managed security provider to get the help that you need.
Having an effective security program in place to protect your organization requires much more than just creating a policy document. By understanding what mistakes are likely to occur, this like can help you rethink what you might be leaving out of your security plan and help you to correct the course before the implementation process occurs.