Introduction
According to findings of a research published by Symantec “2009 Storage and Security in SMBs survey”, despite the awareness of small and medium businesses of cyber risks and the existence of firm goals regarding security and information storage, a large number of firms in this category did not take even the basic steps in protecting their businesses. The survey included 1,425 small and medium sized businesses in 17 countries around the globe. (Symantec Press Release, 2009) The problem of information security is a real concern that should be addressed in the era of information technology, specifically for small business, as it is “one of the most frequently overlooked and misunderstood.” (Waugh, 2008)This paper provides an overview of the importance of information security for a small business, and based on a request by Coffee Affectionardo Pty Ltd., a company specialized in importing and selling various types of coffee machines, grinders, filters and beans, the report provides possible security measures that can be taken regarding their information system, specifically with the company’s future plans of expansion.
Information Security Overview
The information security aspect can be referred to several distinct approaches. All the approaches are related to the safety of the data either from loss or interception. Mostly, the main area of threat can come from two directions, communication channels, which in the present informational area might be represented by networking, e.g. internet, and physical access, which is mostly concerned with employees.
Today internet is becoming an integral part of leading business, which allows working with large arrays of data and carrying out instantaneous communications with geographically dispersed regions. At the same time the internet is a difficult to control channel, which leads to that internet can pose several threats to confidential information of companies.
Typical risks to company’s information might be represented through such threats as spreading viruses and other malicious codes, including spyware, adware, and others, unauthorized access to information, including physical access from inside the company, and confidential information theft. (Zorz, 2009) Additionally, the spreading of telecommunication technologies in the sphere of transactions and payment systems might increase to the risk of information loss at the user-operator link.
The importance of information security can be seen through the different policies that can be implemented, either all of them, or based on the requirements of the company. The policies can be divided into the following:
- Enterprise-level policy – information security will cover the behavior within the company regarding the information system.
- Issue-specific security policy- describing the way technology will be used in the organization.
- System-specific security policy – specific instructions regarding individual system and technologies. (Waugh, 2008)In the case of Coffee Affectionardo Pty Ltd., this policy is concerned with the usage of the MYOB (Mind Your Own Business), an accounting management and time billing software, which handles GST, adjusts inventory, handle transactions and etc. (2009)
Accordingly, information security is an essential aspect by which the company not only will protect the information of the company and its employees, but also the information of current and/or potential business partners, as well as customers’ information. “It is not possible for a small business to implement a perfect information security program, but it is possible (and reasonable) to implement sufficient security for information, systems, and networks that malicious individuals will go elsewhere to find an easier target.” (Kissel, 2009)
Recommendations
Identifying the area of protection, it can be seen that they revolve around two aspects, i.e. the database of the company which contains sales records, as well as customers and suppliers’ personal and financial information, and the communication channels through which payments is received using MYOB, and the network through which the potential 10 stores/distribution centers will communicate. In terms of physical threats, the employees’ threat can be omitted at this time; however, a policy should be developed for the information policy in the long term.
The recommended security measures, which are independent of the MYOB software, should concern the following actions:
- The protection of the user machines on which the software is installed. The protection includes software from “viruses, spyware, and other malicious code.” (Kissel, 2009) The software should be updated regularly, specifically on machines on which MYOB is installed.
- The protection of the internet communications. The protection includes installing firewall software, which protects all incoming and outgoing connections.
- Backup the data. The backup process can be implemented using additional storage devices, and should be automated. In case of using a centralized data system, the backup can be limited to the information stored in those systems.
- Physical access control. In the case of the present company, the control implies limiting the access to the machines to only those people who operate them. The control options might include setting authentication procedures for the personnel using the information system.
In terms of MYOB, which is the main informational asset of the company, the protection procedures involve the aforementioned, with the addition individually backing the operating data file, through built-in function in the software. The option includes using an external storage device, and thus, the backup file should be additionally password protected. There should be checking procedures between MYOB and any protection software installed, in order to ensure that the software is compatible. As there is only one person in the company that might be using the software, there is no need to control access to different functions within the program. However, in the case of having several machines with staff having different function in different areas, the security setting in the software should be set up to control each area of access individually. The company’s security function within the organization is facilitated by the fact that, the main area of protection is concerned with data operated by one software suit that, handles most of the company’s operations. Nevertheless, taking the expansion perspective, the company should develop an information security policy that will manage different security issues within the different branches and department of the company. All of the issues should be unified under one enterprise policy that controls the behavior within the company toward the information system.
Conclusion
It can be seen that, the fact of operating a small business does not exclude the necessity of an information system which can be upgraded as the company grows. The presented recommendation manages the protection of the most important areas within the organization, which is mainly related to the company’s financial operations. One issue of consideration can be addressed toward the two key factors driving the SMB security gap, i.e. staffing and budget. In that regard, the company should increase the IT security budget, especially that, it considers expanding its operations.
References
(2009) MYOB – Homepage. MYOB Limited. Web.
KISSEL, R. (2009) Small Business Information Security: The Fundamentals (Draft). U.S. Department of Commerce National Institute of Standards and Technology.
SYMANTEC PRESS RELEASE (2009) Small and Midsized Businesses Aware of Security Risks, But Not Doing All They Can to Protect Information.Symantec.
WAUGH, B. D. (2008) Information Security Policy for Small Business. Infosec Writers. Web.
ZORZ, M. (2009) Q&A: Information Security Threats and Management. HNS CONSULTING LTD.