Introduction
Scientific innovations and inventions have led to technological advances; the technology has increasingly been adopted in businesses in different areas/processes; however, there are numerous threats brought by the use of technology.
The affordability of computer and computer software has facilitated the use of technology in small-scale business; some of the most used technological advancements within an organization are information sharing systems, enterprise reporting programs, the Internet, and e-commerce.
Employing technology in small-scale businesses opens them to myriad of problems; information security is the greatest threat (Wallace, Lin & Cefaratti, 2011). This paper discusses how to secure small-scale business from technology related threats.
Best information security system
To have an elaborate information security within an organization, the management needs to develop a security policy; a security policy defines the use and accessibility of information in a company. When making a security policy, it should not be seen as an end user policy, however it should be ongoing and protection adhered to at every stage. An effective security policy provides five important services to the organizations, the services are:
Access
It offers the users a chance to receive and transmit data within the system while adhering to proper machine and data handling.
Confidentiality
The policy should respect privacy of information whether individual privacy or corporate privacy.
Authentication
The system should be efficient in transmitting of information that messages can be traced back with certainty.
Integrity
The system should ensure that the message sent has not been changed or modified when in transit.
No- repudiation
The system should ensure that it keeps proper records of the sender and receiver of message, the time of the transmission and the information kept cannot be altered (Yayla & Hu, 2011).
The process should have a five working principle that the organization should look into, they are:
Physical security and lock down all the technological assets
When a small-scale business has embarked on securing its information, the initial stage is to regulate physical access of computer hardware like server, personal computers, and other networking and telecommunications equipment.
The prevention is from human resources of the company and external users; access should be limited to those people with permission to access the machines. Some of the most common methods of physical security include lock and key, the use of passwords when opening the security rooms, use of fingerprints to limit the access to the computer systems rooms and the use of alarm systems to alert incase of trespass (Hulitt & Vaughn, 2010).
Physical security is not adequate in itself since the machines will have to be used at one point, a policy that elaborates on the best ,machine and data handling best practices should be implemented and staffs trained accordingly; such a training will assist the staffs have a clear understanding of why they need to protect information within their organization.
Process and procedures security setups
With the physical security set-up, the management should now focus on technological aspects of the security plan, this are the process and procedures security maintenance to ensure that the information of a company is secure regardless of who has an access to the system.
The control of the Internet and intranet should be prioritized; creating firewalls that limit incoming and outgoing traffic will assist in monitoring and controlling the use of the tools. Fireworks is one of the most known effective methods of controlling internet and internet system, it is able to keep off unwanted messages within the system; however the system does not protect a system form virus and spywares.
Since firewalls allow viruses and spywares to operate in the system, then a company should have an effective antivirus and antispyware software; the software should be up-to date and updated through the system without offering some dangers to the system.
People with a certain negative intention develop viruses and thus strong anti-virus software should be maintained; the system adopted should be strong enough that can detect virus programs and block them from accessing the system.
Small-scale businesses should not shy off from investing in expensive but effective security systems, since the market has some ant viruses that cannot be fully relied upon.
Website management and protection
One area that small-scale businesses communicate with the outside world is through their websites. It is through the sites that they offer some information and access right of outsiders to their company information. To ensure that data is secure a company must establish ways to protect information that is contained in its website; the approach is seen as an internal and external approach.
Internal in the fact that the information offered should be limited and the one meant for public consumption and external in that it protects external users from accessing some information about the company. The kind of data that it posts over the internet should be vetted; information has many users for various reasons, any information posted should target a certain user and the behavior as a result should be speculated.
If information is likely to hurt the organization, then it is better not offered, some users of information for the loss of a company include competitors and people will ill motives. There should be a specific class of people mandated with the role of uploading information in the website; the power to upload information should not be vested in one person, however a team of web-managers should be developed.
The web master should have the exclusive rights to upload information only after the team has deliberated and seen the move as appropriate. This will require restriction to servers and main computer room (the approach to restriction has been discussed earlier). Another important yet ignored task of web management team is withdraw of information and alteration of information posted in the website.
The same staff should be mandated with the task of withdrawing any information that may have gotten to their website either through malice or through mistake before it has tarnished the name of a company (Wibowo & Batra, 2010).
Using genuine and up-to date software and hardware
Technological advancement has made it possible to have some systems that are secure and those that can handle some basic information threats. For example having software that have timeouts when not used can assist a company to secure information that could be accessed when a system is running.
In the market, there is the option of buying software/hardware then install security measures and other systems that come with an inbuilt security system. Systems that come with security set-ups are referred to as managed security services or software-as-a-service (SaaS); they come with a warranty that they will secure information for a certain period if used effectively.
Small-scale businesses should use such systems since they offer more security and fallback in case they collapse. Alternatively, the developers of the systems are mostly large companies with the resources of developing an effective system; this small-scale business will relatively pay low for quality service (Veiga & Eloff, 2007).
Upgrading company’s software is another thing that can assist a company keeps away people from accessing some crucial information; for example, an operating system like Windows keeps updating its software to offer better services and protection against some threats.
Technology is changing day by day and thus a company should maintain a strong information and technology team that can keep the company with the pace of computer world (CAIN, 2010).
Hacking can be prevented by ensuring that software’s adopted by a company are complex in their design but user friendly; hackers have use other software that run parallel to the original software to get information about a company; however using genuine and well developed software can keep them away. This will assist a company to keep away hackers.
Many are the times that a system is hacked by information and technology people who have worked with the system and thus know how it operates. To prevent this there should be a responsibility oath enforceable in court taken by information and technology experts leaving and getting into an organization.
Secondly, there should be not one center of power; no one should fully understand a system in operation. Checks and balances should be set (Aggeliki, Spyros, Costas & Stefanos, 2010).
Have data back-up systems
To the extremes, information can be lost due to some unavoidable situation; small-scale businesses should have backup systems that will assist them retrieve back information that has been lost. The backup systems are kept in a different station other than the place of operation.
Incase data as lost, and then they are used as a fallback. Technology has today reached to a level that lost data can be recovered by use of data recovery tools, though they would require a prior registration; a company should invest in such kind of technologies (Batra, 2007).
Employee’s awareness and internal processes control
One of the potential areas that information security issues can emerge from is staffs with malice or some who are innocent or ignorant. Managers should ensure that they have programs that train their staffs on the need to have high information security. Other than training, the management should have policies that facilitate the adherence of security of information (Puhakainen & Siponen, 2010)..
Some of the operations that employees put in the system may be dangerous to the system; there are times that flash disks have been used to transfer information form the company to other places, or employees downloading software’s or installing some software in company computers. This leads to threat of information.
To prevent employees from using external gadgets to get information, the management should block the use of USB cable networks, or if they must be used, the crucial information may be formatted to be read-only such that employees will not be able to get the information.
Some systems that can be used to manage the access and transfer of information from computer within an organization; they include Windows Registry software which limits the access and transfer of information without authentication (Peltier, 2002).
When an employee want to download or install some programs in the system; there should be proper approval and the need for the proposed software be defined. When the system has been installed, the management should vet and scrutinize it for any threats it is likely to bring to the company.
The Information and technology department should be guided by integrity and have the capacity that it can make the system work with optimal security. They have the expertise of creating security policies like the use of passwords and limiting access to computers at individual level. Alternatively, they should register computers under the name of the user thus incase of anything done using the computer, they can trace back.
This approach is a psychological or threatening approach where employees will shy off from misusing their computers in the fear that they will be detected and punished if there is a leakage of information via their computers. This increases reliability and employees fee more accountable of the information they have (Asai & Hakizabera, 2010).
When a small-scale company has decided to implement a security policy, some procedure and processes that it must consider are:
Know your attackers
Before the best strategy has been rolled out, the most important issue to realize is to know the possible sources of information threats; when the attackers are known, as well as they operated, then the company can be in a better position be able to maintain high security system.
The approach to security that the company should take is dictated by the tread of the approach and the intent that the information hackers have (Kantardzic, 2002).
Determine the pain thresholds
With the nature and the tread of the attackers, the system that will be used should be there to frustrate the attackers; determining how long the attackers can go is of importance since the company will develop the strategy that frustrates attackers and probably limits their attempt in the future (Hennie, Lynette & Tjaart, 2010).
Research of the best method
With an understanding of the situation and the attackers to burr from the system, a company needs to develop alternatives available for the task. The alternatives may be commercial software or sometimes need to restructure the internal controls within the organization. In whichever the situation, a company should aim at implementing the best security approach at its disposal.
Some of the potential areas that need to be looked into are Social engineering, internal information control policies, and the vulnerability of the system and the integrity of a company’s employees (Hill, 2009).
Rolling out, controlling, monitoring and reinforcing
When the best approach has been recognized, then the company should come-up with a rolling out plan, it should be appreciated that developing security systems is like any other change within an organization that need to be strategically planned. The involvement of management in controlling and monitoring is called for (Dhillon, 2007).
Conclusion
Technology has brought numerous advantages in small-scale businesses; however, it exposes them to information security threats. Data and information held by a company is an intangible asset, thus should be secured and protected; however, some companies have had their private information lost or accessed by unauthorized users. Information management team has the role of establishing an effective information security strategy that looks into internal and external information threats.
References
Aggeliki T., Spyros, K., Costas, L. & Stefanos, G. (2010). A security standards’ framework to facilitate best practices’ awareness and conformity. Information Management & Computer Security, 18(5), 350-365.
Asai, T. & Hakizabera, A. (2010). Human-related problems of information security in East African cross-cultural environments. Information Management & Computer Security, 18(5), 328-338.
Batra, M. (2007). The dark side of international business. Competition Forum, 5, 306-314.
CAIN, A. A. (2010). Information Security a Top Priority. Internal Auditor, 67(1), 17.
Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons.
Hennie, K., Lynette, D. & Tjaart, S. (2010). A vocabulary test to assess information security awareness. Information Management & Computer Security, 18(5), 316-327.
Hill, C.W. (2009). Global business today. New York, NY: McGraw-Hill.
Hulitt, E., & Vaughn, R. (2010). Information system security compliance to FISMA standard: a quantitative measure. Telecommunication Systems, 45(2-3), 139-152.
Kantardzic, M. (2002). Data mining: Concepts, models, methods and algorithms. New York: J. Wiley.
Peltier, R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications.
Puhakainen, P., & Siponen, M. (2010). Improving Employees’ Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly, 34(4), 767-A4.
Wallace, L., Lin, H., & Cefaratti, M. (2011). Information Security and Sarbanes-Oxley Compliance: An Exploratory Study. Journal of Information Systems, 25(1), 185-211.
Wibowo, K., & Batra, M.(2010). Information Insecurity in the Globalization Era: Threats, Governance, and Survivability. Competition Forum, 8(1), 111-120.
Veiga, A.D. & Eloff, J.H. (2007). An information security governance framework. Information Systems Management, 24, 361 – 372.
Yayla, A., & Hu, Q. (2011). The impact of information security events on the stock value of firms: the effect of contingency factors. Journal of Information Technology, 26(1), 60-77.