4. Deploy the security basics. That means firewalls for wireless and wired-based access points, and anti-malware on endpoints and servers, acknowledging that traditional signature-based anti-virus is a limited form of defense. Consider technologies such as whitelisting' to prevent computer software downloads. Over the years, security vendors have frankly conceded they've often had a hard time marketing to SMBs, establishing channels of sales and support, and often tried to create editions of their basic products oriented towards fewer numbers of users and less technical expertise to manage them. But some practices are critical for all: Be rigorous about patching all operating systems and applications as quickly as possible. If your business is short-staffed in terms of security expertise, seek outside technical support under a managed security services arrangement. If there's a malware outbreak, for instance, you will need that expertise. Read articles, join technology user groups, speak with industry colleagues to get tips about outside assistance. Keep in mind that if your business accepts payment cards, it's mandatory to adhere to the data privacy requirements spelled out in the PCI guidelines, which also includes encrypting sensitive information. The government's HIPAA and HiTech security rules also require encryption of personally identifiable information in the healthcare industry. Encryption of data at rest and in transit is just a good idea — so why not do it?
5. When disposing of old computers and other devices that store data, remove the hard disks and destroy them. This goes for other types of media, too. And don't forget paper holding sensitive information as well.
6. Get detailed when it comes to each individual's access to data. This takes time, but determine what employees or outside business partners really need to have in terms of network and applications to do their jobs. Keep a record of this and consider using more than passwords, perhaps two-factor authentication or even biometrics. This also goes for systems administrators, whose jobs give them huge power over all the information systems in use. Options include requiring a dual-authentication process — something the National Security Agency claims to be doing more vigorously after former NSA tech contractor Edward Snowden leaked all those secrets. Your business is probably not as top secret as the NSA's, but your internal network and all the most critical data may well be under the control of a sys admin whether you think about that or not. And finally, have procedures for immediate de-provisioning of access and credentials when an employee departs or a business arrangement is altered.
7. Trust but verify, as the old saying goes. Do official background checks on prospective employees to check for criminal history (some companies are even evaluating prospective employees by looking at what their public social media history might indicate about them). And when it comes to technology vendors or cloud service providers, make sure whatever they promise is in a signed contract with some kind of consequences spelled out for failure to deliver. Consider paying a visit to data-center operations operated by business partners with whom you plan to electronically share your customer data, for example, and have them provide details on their security, backup and personnel involved.
Sign up for CIO Asia eNewsletters.