What’s the biggest information-technology security problem that Canadian entrepreneurs face?
If you said computer hackers, guess again. The biggest problems, by far, come from a company’s own employees. The good news: They’re usually not doing it on purpose.
Most of the security breaches involve accidents — an employee mistakenly emailing confidential client information outside the company, a cashier leaving a customer’s credit-card information on a publicly viewable computer screen or a manager inadvertently deleting important files.
One of the most common breaches: accidentally downloading malware — those nasty little computer viruses and trojan horses that can cause mayhem in your computer network.
“Employees often download everything and pick up all sorts of diseases without even knowing it. They also don’t check their computers regularly for malware,” says Robert Hyde, a BDC consultant in Toronto who specializes in information and communication technologies.
Four in five Canadian small and medium-sized enterprises (SMEs) report experiencing a security problem related to information and communications technologies (ICT) caused by an employee in the previous year, according to industry research. But most SMEs don’t do much about it until it’s too late.
“People pay lip service to ICT security, but they don’t invest money in it,” Mr. Hyde says. “Until they’ve been burned, they don’t necessarily see the value in it.”
Action usually gets postponed until the day an essential computer crashes or vital data gets wiped out in a malware attack. “There’s usually no concerted approach,” he says. “One guy is doing back-ups regularly, while someone else is careful about malware. It’s just sporadic or piecemeal.”
And with the proliferation of mobile devices, wireless computing and remote workers, the ICT security challenge is growing bigger for SMEs.
Mr. Hyde advises companies to evaluate their ICT security as part of a larger review of all of their ICT systems. The idea is to make sure your tech gear isn’t out of step with your business strategy — another frequently overlooked problem at SMEs in Canada. ICT investments have a direct impact on making businesses more innovative and competitive.
“Canadians are very under-invested in ICT, and that is causing a productivity gap with the U.S.”
Here is Mr. Hyde’s ICT security checklist for SMEs:
1. Strategy and human resources policies
- Does your company have a clear ICT security policy that’s known to staff?
- Do you have a policy on acceptable ICT use, password guidelines and security practices?
- Do you have confidentiality agreements for contractors and vendors?
2. Data backup
- For critical data (this is anything needed in day-to-day operations, including customer information), do you centralize it on a server and back it up nightly to a remote location?
- For important data (anything important to the business but that doesn’t et updated frequently), do you centralize it on a server and back it up semi-regularly off-site?
3. Desktop security
- Do all computers have working anti-virus software?
- Do you have a security policy for downloading and installing new software?
- Do you have passwords with a minimum of eight alphanumeric characters that are changed every 90 days?
- Are all computers updated with the latest system updates and security patches?
4. Internet and network security
- Do you have a firewall and intrusion detection on all web connections?
- Do you use a virtual private network for remote access?
- Are all modem and wireless access connections known and secured?
5. Privacy and sensitive information
- Is customer financial information encrypted and accessible only to those who need it?
- Are paper files kept in locked filing cabinets with controlled access?
- Do you do a periodic audit (every six months at least) of your ICT security checklist?
Content in this section is provided in partnership with the Business Development Bank of Canada. BDC provides entrepreneurs with financing, venture capital and consulting services. To find out more go to BDC.ca.
Follow us on Twitter: