Every week there are stories about security breaches and guidelines issued on improving security to avoid breaches; from trade bodies, industry experts, software vendors and the Government. For many SMEs, the whole subject can be confusing. Is this something they should be concerned about? And do you, for example, have to do everything in the guidelines or just some things? This series of blogs provides an introduction to Information Security and what it means for an SME.

Previous blogs looked at what Information Security means https://www.tiptopmedia.co.uk/blog/what-is-information-security and if this is relevant for your business https://www.tiptopmedia.co.uk/blog/is-information-security-relevant-for-my-business and protecting physical assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-physical-assets. Assuming it is relevant to your business, you need to look at how to protect your assets. This blog takes a high level look at how to protect electronic assets.

What are electronic assets?

Some are obvious – files on servers, databases, emails, websites, and services in the cloud – while others may not be so obvious. They could include door access records and voicemails. There are many ways to protect assets; some are part of guidelines issued by trade bodies etc. To decide on which guidelines are relevant and cost effective, there needs to be a risk assessment of how a breach would impact confidentiality, integrity and availability (shown in part 1).

Files on servers

Encrypt sensitive data – keep the encryption key in a safe place.

Segregate the network and lock down access to sensitive information.

Install monitoring software to check for unexpected access attempts, check the logs that are produced.

Backup files and check that data can be recovered.

Databases

Encrypt sensitive data – keep the encryption key in a safe place.

Hide parts of sensitive data such as credit card numbers; replace actual values with asterisks or other tokens.

Emails

Encrypt sensitive emails.

Configure anti-virus and anti-malware software to scan incoming emails.

Websites

Penetration tests.

Vulnerability scans.

Content Management system – use strong passwords, enable multi-factor authentication (if possible).

Services in the cloud

Use strong passwords to get access to the service.

Enable multi-factor authentication (if possible).

Check privacy settings; some services change the default values or add new values – you could end up sharing too much information with others.

Other assets

Door access records – use a password to get access, make sure they are backed up.

Voicemails –change the default password.

The next blog will look at how to deal with the human factor in information security.

Other blogs in this series

What is ‘Information Security’? https://www.tiptopmedia.co.uk/blog/what-is-information-security

Is Information Security relevant for my business? https://www.tiptopmedia.co.uk/blog/is-information-security-relevant-for-my-business

Protecting physical assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-physical-assets

Find out more on how to improve your information security at http://wadiff-consulting.co.uk/first-step-to-improving-information-security/

Ian Grey
WADIFF Consulting