Information security: basic principles of risk management in small and medium-sized businesses

Many chiefs believe that medium and small businesses are well protected from data leaks. What kind of attacker would like to spend money and effort on a company of 50 people? And in a company with 10 employees, there will definitely not be an insider: after all, everyone is under the supervision of the boss.

This view is fundamentally wrong. The statistics are stubborn: 43% of cyberattacks target small firms. And 60% of small and medium-sized businesses that were “lucky” to encounter a data leak were closed six months after the incident.

Risk management will help you cope with the challenges of the modern digital age. Predictively identifying “bottlenecks”, the chief will protect the company as much as possible and, at the same time, not only avoid possible losses from leakage, but also be able to save money by implementing exactly the protection tools that are necessary for specific business conditions.
The basic plan to minimize risks is simple, and consists of only 3 points.

1. Identity management: managing information about users and processes of corporate networks

The main task of the chief is to segment the information by the degree of importance and restrict access to it. It sounds very simple: gave the employees a complex username and password, hid the databases from public use, and the rule was fulfilled. In real life, this approach is more harmful than helpful.

It would be better to start with an analysis of business processes, which will help to understand exactly what information is most valuable, who among the staff should access it as part of their job responsibilities, and what will happen if the procedure becomes much more complicated. Mindless bans will slow down the work of employees, reduce efficiency, and provoke violations. For example, one of the managers will start “sharing” their access codes, only because the endless matching of requests to the database of customers or suppliers can lead to the failure of transactions due to inadequate deadlines for processing applications.

Putting efficiency at the forefront, and setting bans on mass access to sensitive data based on current operational processes, the chief will significantly increase the level of information security without reducing labor productivity.

In addition, as part of the measures to delimit access, you can always use the “cheat code” – biometric identification systems. For example, authentication using face recognition systems is much more reliable than using multi-digit usernames and passwords that employees stick to the monitor or store in files on the desktop. The authorization process itself, in the presence of such systems, is significantly simplified and accelerated, since you no longer need to remember complex combinations and type them on the keyboard. But time is money.

2. Management of backups and updates

“Holes” in outdated software, critical incompatibility of old and new applications — the basis of most leaks.

A key factor in reducing risks is timely software updates. And it’s not just about security systems, you need to keep track of the latest updates of all sorts of “office” programs.

In companies, it is not uncommon for the security system to control a new version of accepted software, and employees still use the old one. This approach is a direct invitation for hackers.
The rule works the other way around: if the manufacturer has released a fresh security system integration, which takes into account the features of the latest versions of “office” programs, and the company holds off to update its “shield”, you should be prepared for the fact that some of the options of the new software will be out of control.

And, of course, do not forget about regular backups: if an emergency still occurred, the information will have to be restored. The absence of a backup can deprive a business of a place in the market in one second.

3. Monitoring

The more elements that are monitored – the less risk there is. Monitoring of installed programs and hardware in the PC will help to detect infection with viruses and miners, to conduct an inventory of “software” and its versions, to prevent the theft of “hardware” – discrete video cards,” slats ” of the core memory and hard drives. Tracking the geolocation of laptops will allow you to catch a thief and prevent the “leak” of information to third parties.

And, of course, the main task is to monitor the most vulnerable link of any business – personnel. The control of the “human factor” is a key element of modern risk management. Banal errors, such as sending data “in the wrong window”, saving working information to a flash drive or sending data to a personal email-a potential source of serious problems and losses. Special attention should be paid to insiders, who can appear even in a company consisting of 3 people . Their malicious actions always lead to serious financial damage, up to bankruptcy.

Using the principles of risk management and following simple rules, the business owner will not only significantly increase the level of information security and avoid a number of emergencies, but also save money by implementing only the most effective and necessary security systems.