Taken from Report on Small Business, November 2008 Edition
Written by Craig Silverman

Every business – no matter how small – is vulnerable to security breaches.  A survey by security software provider McAfee earlier this year found that more than 30% of small- and medium-sized companies in North America have suffered a cyber attack.  Yet 40% of IT professionals in those companies still don’t believe their online systems are at risk.

“Small businesses often have a relaxed culture because they consist of a small group of people who all know each other,” says Nasrin Rezai, director of global information security at Cisco Systems.  “That means the company didn’t start with a culture of protecting information.”  The key is to recognize that educating employees is as important to shoring up a company’s defences as buying technology.

“There is always a human element to security, and if you don’t address this and couple it with a technical solution, you’ll never have a reasonable security model,” says Malcolm Harkins, general manager of information security at Intel Canada.

As a starting point, consider the humble office cubicle, which is home to an array of security shortcomings that the average employee never thinks about.

1) Many employees like to keep a list of their colleagues’ phone numbers taped to a cubicle wall.  Problems arise, however, when workers receive printed versions of the company’s entire directory, complete with titles, home and cell numbers and e-mail addresses.  This company road map can be useful to thieves, who can cite insiders’ names to gain access to the office and its systems.  Restrict hard-copy directories to a listing of names and extension numbers.

2) Passwords can be too complex.  Instead of committing them to memory, employees write them on Post-it notes and stick them on monitors.  When this happens, says Intel’s Malcolm Harkins, “security controls are driving behaviours that make the risk higher.”  Passwords should be at least 10 characters long, and include both numbers and letters.  Change your password every couple of months.

3) USB keys are a convenient way to carry documents and share them with colleagues.  Unfortunately, these storage devices are easily lost and stolen.  Banning their use in the office is one option, says Harkins,”but then people simply print out hard copies or burn files to a CD”.  Instead, insist that staffers refrain from storing sensitive data on USBs or CDs unless it is encrypted.

4) Smartphones store reams of proprietary corporate and personal information. They also frequently sit unprotected on desks and in other public areas.  Use the phone’s password feature to prevent anyone from accessing your e-mail or other data.  Demand that staff notify IT the second a phone is lost or stolen.

5) So much for the paperless office: Employees often leave confidential information lying on desktops and in printer trays.  For thieves and unscrupulous competitors, such finds are as good as gold. 

Take a moment a look around your operation, and see what potential security risks you have… and prevent it.