Whether the organization is big or small, most information security breaches involve someone on the inside of the organization who is either
1. Doing something common but inherently risky,
2. Doing something dumb, or
3. Intentionally committing or aiding fraud and/or theft of intellectual property.
The loss of valuable information can result from a simple lack of awareness of security vulnerabilities. Lost information can include trade secrets or intellectual property, but can also include seemingly innocuous bits of information that when compiled together add up to real intelligence.
Risks fall into many categories, from social engineering to technical attacks. The questions listed here address risks across various categories and are by no means exhaustive. Having said that, while these concerns are just the tip of the iceberg, addressing them will go a long way to making your SME safer and your data more secure.
Not all SMEs will be able to technically lock down all the vulnerabilities they have. It wouldn’t make sense for them to anyway. If technical answers are too expensive, too restrictive, or too difficult, alternative solutions may be necessary such as better employee education, better management, and better policy making/enforcement.
Policies play a big role in information security by prescribing and regulating behavior related to information’s access, use, and storage. Solving the problems below won’t make it technically impossible for bad things to happen, but they show the company has considered the risk and made a plan to address it that is appropriate for that organization - and that lowers legal risk.
The following questions apply to organizational IT assets and practices.
Do you use reliable anti-virus/anti-malware software and is it updated regularly?
Can a non-administrative user disable the anti-virus software?
Does your Anti-virus scan inbound and outbound email for malicious attachments? Is that function turned on?
Are you using the default username/passwords for routers/firewalls? (Please say you aren't!)
Are wireless connections authenticated with WPA/WPA2?
Do end users have the ability to install software on desktops/laptops?
Is usage of public instant messaging (eg. yahoo messenger, aim) restricted?
Is usage of web-based emails (eg. yahoo mail, gmail) restricted?
Is usage of personal cloud accounts (eg. Dropbox, iCloud, etc.) restricted?
Are file sharing, games, and recreational software restricted from installation on workstations?
Are the latest versions (or releases) of applications used and patched with the latest patches?
Are the latest versions (or releases) of operating systems used and patched with the latest patches?
If older software is still being used, like older versions of Microsoft Office, are Office files inspected for abnormalities?
Is key proprietary information, including backups, encrypted when stored ANYWHERE? (laptops, DVDs, CDs, USB drives, memory sticks, external hard drives, etc.)
When storage devices containing proprietary information are no longer being used are they rendered unreadable before being discarded? (drill holes in them)
Are user accounts locked out after a specified number of unsuccessful login attempts?
Are all workstation/server consoles locked when left unsupervised?
Do you have a password policy covering password length, required character elements, password lifespan, and prohibitions on password sharing and saving on paper?
Do passwords expire after a specified period of time, thereby requiring the user to change the password?
Is password reset authority restricted to authorized persons and/or an automated password reset tool?
Do you have an exit interview that reminds departing personnel of their responsibilities regarding protection of proprietary company information?
Does the exit process ensure access to proprietary information is ended?
Are background screenings of employees and contractors performed before allowing access to proprietary information?
Do you require your third parties to sign an NDA before sharing proprietary information with them?
Are proprietary paper documents printed/copied/faxed/stored in a secured environment and not left unsupervised when not in use?
When no longer required, are documents shredded using a cross-cut paper shredder?
Do you have an alarm service to detect and inform you or the authorities, if there is an unauthorized physical access to your office during non-business hours?
Ask the tough questions, figure out how best to answer for your own organization (answers will vary), and safeguard your precious information.
Erudite Risk offers risk management and security-related professional services for multinational companies operating in the Asia-Pacific region. With operations in India, Korea, and Singapore, Erudite Risk is ready to help you meet the challenges of Asia, the most dynamic and challenging business environment in the world.
Rodney J. Johnson is President of Erudite Risk. He has lived in Asia for most of his adult life, but still longs for good Mexican food.
Read a related post at The Erudite Blog:
Indian media recently reported a "breach" of the biometric data-linked Aadhaar national identification scheme.
Korea ranked 9 out of 45 countries measured when it comes to intellectual property protections, according to a recent assessment regarding various country's intellectual property protections from the US Chamber of Commerce Global Intellectual Property Center (GIPC).
The US Chamber of Commerce Global Intellectual Property Center (GIPC) recently released its assessment of 45 countries and their respective ranks for protections of intellectual property.
Keeping Data You Don’t Need Is a Recipe for Disaster. Recent revelations about the scope of Chinese hacking attacks on Korean small and medium enterprises (SMEs), may have been surprising to many, but to information security experts it is not particularly surprising news.