Define roles and responsibilities
You should put at least one person in your business in charge of making sure all staff understand their responsibilities for online security. This person should consider the following:
- learning about threats, trends and security options
- planning, acquiring and implementing security safeguards
- helping other personnel understand online security best practices and policies
- enforcing online security best practices and policies with management support
- maintaining and updating the security safeguards used by your business.
Successful online security within a business of any size relies on management support, good internal communication and individuals taking personal responsibility for their online activities.
Include online security in your business plan
Changes in technology mean there are few businesses today that don't operate online in some capacity. An online security plan is an essential part of your overall business plan.
Your plan should clearly and simply outline the key principles and rules for online security within your business.
You can identify and adapt existing standards to deal with specific online security issues or technologies in the business, or write your own.
Include in your plan:
- the safety and security measures you have undertaken to enable retrieval and restoration of your data in the event that you have fallen victim to an online attack
- action plans to follow if something does go wrong covering such things as:
- what to do if business equipment is lost or stolen
- what to do if you think a computer is infected with a virus
- what to do if there has been a loss of data
- your expectations of employees in regard to use of business provided internet and social media, sensitive information, strong passwords
- instructions about how staff may use email and the internet, including blocked sites and restrictions on the size of email attachments
- outline who has access and how sensitive data should be handled and stored
- a tracking system to know who is using what equipment in the organisation
- systems in place to ensure anti-virus, anti-spyware, operating systems, web browsers and other software are kept up to date
- systems in place to ensure security is maintained while staff are mobile
- a process for reporting breaches, using the guidelines offered by the Office of the Australian Information Commissioner (OAIC) – Data breach notification – A guide to handling personal information security breaches.
- Identify all business assets (such as computers and business information) and determine their importance and value to the business.
- Discuss online security threats with employees or outside experts (as required) and determine which assets are at risk of harm if one or more of those threats occur.
- Prioritise risks as high, medium or low and determine what can be done to reduce those risks.
- Evaluate the threats, risks and potential security safeguards and then decide what can and should be done to improve online security.
- Communicate the online security plan to all employees so they understand their roles and responsibilities. Explain policies and standards to personnel so that they will understand the rationale for rules, to whom they apply and any consequences for not following the policy.
- Regularly review and update your plan.
Budget for online security
Having an effective online security plan may cost time and money and must be taken into account when drawing up your annual business plans and budgets. Fortunately, there are some free services, tools and advice available. Additionally, policies or internal documents can often be developed in-house at minimal cost. There are free anti-malware products available. However, it may suit your organisation to purchase products. So associated annual subscription fees must be considered.
Do you know what your insurance covers? In some cases, your insurance may cover losses due to an online security incident. It is important to discuss this with your insurance provider in advance.