Let’s be clear, Security is critical, even when you’re small
One of the toughest challenges for a small company or start-up is security. Small businesses can’t afford security…but they can’t afford to be INsecure!
A breach or fraud, at the formative stages of a new business, is generally fatal; if the law suits don’t kill you, your damaged reputation will.
Australia’s technology neutral security regime can be frustrating. Small businesses are tightly regulated around insurance, worker’s compensation, health and safety, but there are few mandatory security requirements, so it can be tricky to know where to start. But the good news about security in Australia is that you have near complete control about how to go about it.
Security is all about risk management
Do you know what adverse effects operate in your business environment, and the steps you can take to avoid them, deflect them, or lessen their impact?
While a small business gets going, it must spend its scare resources carefully. Security is just one of many demands for management attention and funds, and since security is non-productive (it literally adds nothing to the top line) it just can’t be the top priority.
So how should an emerging company work out the proper security investment, before it’s too late? It’s best to start with a Threat & Risk Assessment and an Information Assets Inventory.
Nobody can manage security without knowing what needs securing! The assets inventory is foundational. You need a comprehensive list of your organisation’s information stocks, plus, most critically, an understanding of what makes them critical to the business. So it’s much more than the overtly valuable data like the accounts, but it must include business records, operational data, software, and intellectual property, as applicable.
Confidentiality, Integrity, Availability
Security professionals classically think about the qualities of information (and by extension, its vulnerabilities) in three dimensions: Confidentiality, Integrity, Availability. Lay people tend to think of confidentiality first, but that’s only part of the security story. Surprisingly perhaps, some enterprises revolve around data that is largely public but has to be impeccably correct, reliable, and available 99.9999% of the time. Think: stock exchanges. That’s an extreme example but all organisations will depend to differing degrees on data with varying onus on confidentiality, integrity and availability.
Threat & Risk Assessment (TRA)
Once a comprehensive information asset inventory is in place, rational security decisions are derived from a threat & risk assessment (TRA). A proper TRA is an ongoing process, involving stakeholders from across the company, with their own perspectives about what matters and what can go wrong. The best mindset for a TRA is less about overt security than information management and control. Prevention is better than cure, and the best security can come not from what you do but what you don’t do.
Consider one of the worst breaches in history, in 2015, when 25 million staff records were stolen from US federal Office of Personnel Management (OPM). Most of the data was for staff who had left government, and yet it had been kept in online databases accessible from the Internet. In hindsight, the best security measure for the OPM would have been to critically review its data availability requirements, and keep as many of its records offline (or near-line) as possible.
There is no such thing as perfect security. If disaster does strike, well-prepared organisations will be able to show they took best efforts to understand their risks, and manage them realistically and proportionately, even with a finite budget.
At SendGold we maintain a live TRA, a live security policy and quarterly risk reviews with our risk committee.