Everything is something worth knowing.


The InfoSec Checklist: Some Questions For SMEs

Though the data breaches that make the biggest news all involve large organizations and high numbers of data items, SMEs are actually at greater risk of information security breaches than large corporations because they often don’t deploy the latest software/hardware security technologies and don’t have access to the expert human resources needed to secure their organization and keep it that way. Furthermore, when a breach does occur SMEs are less likely to know that there has been an incident or that they have suffered a data loss. 


Whether the organization is big or small, most information security breaches involve someone on the inside of the organization who is either

1. Doing something common but inherently risky,
2. Doing something dumb, or
3. Intentionally committing or aiding fraud and/or theft of intellectual property.

The loss of valuable information can result from a simple lack of awareness of security vulnerabilities. Lost information can include trade secrets or intellectual property, but can also include seemingly innocuous bits of information that when compiled together add up to real intelligence.

Risks fall into many categories, from social engineering to technical attacks. The questions listed here address risks across various categories and are by no means exhaustive. Having said that, while these concerns are just the tip of the iceberg, addressing them will go a long way to making your SME safer and your data more secure.

Not all SMEs will be able to technically lock down all the vulnerabilities they have. It wouldn’t make sense for them to anyway. If technical answers are too expensive, too restrictive, or too difficult, alternative solutions may be necessary such as better employee education, better management, and better policy making/enforcement.

Policies play a big role in information security by prescribing and regulating behavior related to information’s access, use, and storage. Solving the problems below won’t make it technically impossible for bad things to happen, but they show the company has considered the risk and made a plan to address it that is appropriate for that organization - and that lowers legal risk.

The following questions apply to organizational IT assets and practices.

Malware/Virus Protection
Do you use reliable anti-virus/anti-malware software and is it updated regularly?

Can a non-administrative user disable the anti-virus software?

Does your Anti-virus scan inbound and outbound email for malicious attachments? Is that function turned on?

Network Connection
Are you using the default username/passwords for routers/firewalls? (Please say you aren't!)

Are wireless connections authenticated with WPA/WPA2?

Do end users have the ability to install software on desktops/laptops?

Is usage of public instant messaging (eg. yahoo messenger, aim) restricted?

Is usage of web-based emails (eg. yahoo mail, gmail) restricted?

Is usage of personal cloud accounts (eg. Dropbox, iCloud, etc.) restricted?

Are file sharing, games, and recreational software restricted from installation on workstations?

Are the latest versions (or releases) of applications used and patched with the latest patches?

Are the latest versions (or releases) of operating systems used and patched with the latest patches?

If older software is still being used, like older versions of Microsoft Office, are Office files inspected for abnormalities?

Data Protection
Is key proprietary information, including backups, encrypted when stored ANYWHERE? (laptops, DVDs, CDs, USB drives, memory sticks, external hard drives, etc.)

When storage devices containing proprietary information are no longer being used are they rendered unreadable before being discarded? (drill holes in them)

Are user accounts locked out after a specified number of unsuccessful login attempts?

Are all workstation/server consoles locked when left unsupervised?

Do you have a password policy covering password length, required character elements, password lifespan, and prohibitions on password sharing and saving on paper?

Do passwords expire after a specified period of time, thereby requiring the user to change the password?

Is password reset authority restricted to authorized persons and/or an automated password reset tool?

Do you have an exit interview that reminds departing personnel of their responsibilities regarding protection of proprietary company information?

Does the exit process ensure access to proprietary information is ended?

Are background screenings of employees and contractors performed before allowing access to proprietary information?

Do you require your third parties to sign an NDA before sharing proprietary information with them?

Physical Security
Are proprietary paper documents printed/copied/faxed/stored in a secured environment and not left unsupervised when not in use?

When no longer required, are documents shredded using a cross-cut paper shredder?

Do you have an alarm service to detect and inform you or the authorities, if there is an unauthorized physical access to your office during non-business hours?

Ask the tough questions, figure out how best to answer for your own organization (answers will vary), and safeguard your precious information.

Erudite Risk

Erudite Risk offers risk management and security-related professional services for multinational companies operating in the Asia-Pacific region. With operations in India, Korea, and Singapore, Erudite Risk is ready to help you meet the challenges of Asia, the most dynamic and challenging business environment in the world.

Rodney J. Johnson is President of Erudite Risk. He has lived in Asia for most of his adult life, but still longs for good Mexican food.

Read a related post at The Erudite Blog:

Aadhaar Data Breach and the Storage of Biometric Data

Indian media recently reported a "breach" of the biometric data-linked Aadhaar national identification scheme.

US Chamber of Commerce Assessment of Korea's Intellectual Property Protections

Korea ranked 9 out of 45 countries measured when it comes to intellectual property protections, according to a recent assessment regarding various country's intellectual property protections from the US Chamber of Commerce Global Intellectual Property Center (GIPC).

GIPC Ranking of Indian Intellectual Property Protection

The US Chamber of Commerce Global Intellectual Property Center (GIPC) recently released its assessment of 45 countries and their respective ranks for protections of intellectual property.

To Minimize Cyber Vulnerabilities, Look First at the Data You Keep

Keeping Data You Don’t Need Is a Recipe for Disaster. Recent revelations about the scope of Chinese hacking attacks on Korean small and medium enterprises (SMEs), may have been surprising to many, but to information security experts it is not particularly surprising news.