Johannesburg, 10 Sep 2007
It is astonishing how many SMEs do not understand the dangers involved in not protecting their sensitive information and enforcing an internal information security policy.
Every organisation needs to protect its intellectual property and confidential information, as this holds far more value than anything else a company owns. This is according to J2 Software managing director John McLoughlin.
It is imperative that this information is protected and other areas of the organisation are not exposed to unnecessary risk. Along with this, it is essential to ensure the information, bandwidth and resources are not abused by trusted users within the organisation.
Many SME owners and management are unaware of the potential risks related to not enforcing data security measures in the organisation. Many are also still unaware that the company may be held liable for the actions of its employees if there are no measures in place.
If it can be shown that the members or directors had knowledge that there was a potential area of threat, and nothing was done to protect against it, they could even be held personally liable in some circumstances. This would include information security breaches and direct employee actions.
Examples of where the company could be held liable would include where an employee copies customer information, sends it out, and where the customer suffers a loss. Others include where an employee downloads copyright material and then uses it illegally, or where an e-mail is sent out containing remarks, jokes or images which are racially or sexually offensive. In all cases, if it cannot be proven that reasonable preventative steps are in place and are being enforced, the employee will not be held liable and the liability will rest with the company. As a business owner or director, how much risk are you willing to accept?
There are three simple steps SMEs can take to ensure they are adequately covered in this area:
1. Make sure there is an internal information security policy in place. If not, this should be created. Ensure it is done by a reputable organisation who can offer professional advice for South African companies.
2. Ensure this is implemented and acknowledged by all employees of the organisation. The policy should not only be enforceable on workers, it should be accepted by all levels of management.
3. It is critical to actually enforce the policy. It is of no use having a comprehensive policy and then taking no steps to enforce it. Make use of a software tool to aid enforcement. With everything now being done electronically, it is nearly impossible to manage this without these tools. It is important that the solution is easy to use and manage. The solution must be able to track and control all user activity on a computer network. The solution will then provide the ability to view, record and restrict activities, including Internet, e-mail, instant messaging and application-specific activities. Choose the solution that provides the ability to monitor, control and report on the activities of individuals or groups of users - both reactively and proactively.
It is also important to know what should be covered by an internal information security policy. This corporate policy should be so much more than an acceptable use policy document. The information security policy should cover all of that and more.
Points to cover include:
* Acceptable use of the Internet and e-mail facilities, this must cover all areas of user activity on the corporate infrastructure.
* Copyright and licensing.
* Company information protection, this must cover the use, storage and sharing of this information. It is not limited to electronic data but should also include data on external storage devices, faxes, photocopies and in hard copy.
* Downloads on company infrastructure, networks and Internet links.
* Employee, management and IT responsibilities in terms of adhering to and enforcing the policy.
* Reputation protection.
* Perimeter network security.
* Mobile workers.
* Addition of external devices to the network.
* User acknowledgement: it is crucial to have the informed consent of employees to monitor, control and intercept e-mail, Internet usage, etc. With this acknowledgment in place, it can be easily shown that the employee was fully aware that his or her actions were outside the acceptable boundary and that they knowingly transgressed the rules. Only now can the employee be held liable for breaches and actions, not the organisation.
While many companies are still completely ignorant to this danger, it is not all bad news. It is refreshing to see a number of SMEs who are now identifying the requirement to keep their sensitive information secure and are taking preventative steps to curb the growing number of threats.
The smarter SMEs are installing an information security policy enforcement tool and enforcing their policies, ensuring they have the means to protect their information from loss.
There is currently a growth in demand from SMEs, especially in the financial services, engineering and manufacturing industries. This just goes to show the risk of losing sensitive data is definitely a factor, and it is imperative to protect against this very real threat.
Share