Blog Forensic Control image


IT security

How to Write a Simple IT Security Plan for a Small Business

In the last in our series about business security, we’re taking a look at how to write a basic security plan for a small business. It’s one of those business essentials you don’t want to do without, is something far too many small businesses don’t bother with, but only takes a few hours to draft. Checking your computers should only take 20-30 minutes max per machine (if it can’t be automated). Running through the remaining items on the checklist we discussed in a recent post may take you an hour or two.

Here’s how to build your own working business IT security plan for a smaller business. Large companies with more complex needs will require a more sophisticated plan than this, something we’re always happy to help with.

What level of IT security expertise do you need to make it happen?

As long as you can browse the web, edit a document and run an application, you already know enough about technology to protect your business at a basic level. Don’t let anyone put you off. Compared to the potential risks your business faces from unsecured IT, investgin in business IT security always delivers a considerable return on investment.

Create a super-simple sample security plan

The first draft of your company’s business plan doesn’t have to win any awards, run to hundreds of pages or be full of fine detail. It just needs to outline the threats you face, establish sensible common sense policies and assign responsibilities for taking action.

The best plans may be simple, but they’re also dynamic, just like the systems they protect. Everyone involved should take note of which policies are working and which need to be refined, changed or simply thrown out and started afresh. It’s all about gathering together and formalising the knowledge you need to give yourself the power to control your IT security.

Your objective

It always helps to distil your objective down to its simplest and most potent form, so you know exactly what your aims are. For many businesses this may include statements such as:

To protect our intellectual property and financial data
To meet our regulatory and legislative obligations
To show our suppliers and clients that we treat the security of their data seriously

Your team members

List your employees and allocate an IT security task to each relevant person. For example:

Peter Smith – Head of sales – Responsible for overall IT security
Theresa Jones – Tech support – In charge of all security-led technical changes
David Davis – MD – Tasked with scheduling and managing monthly checks

Threat assessment

What are your digital assets? List them all, including emails, client work files past and present, financial records, marketing collateral, staff information, project plans, schedules, customer data, contracts, and any other information you want to protect.

What are the risks you face? You might pin down things like:

  • Accidental damage, for example, dropping a tablet and breaking the screen
  • Natural disasters such as flood and fire
  • Employee negligence, for example, accidental file deletion
  • Employee misconduct, for example, stealing customer data
  • Crime, for example, a break-in at your premises
  • External risks like malware attacks and industrial espionage
  • Technical failure, for example, the death of a vital server
  • Security policies

Now you’ve formalised your digital assets, the risks they face and the people responsible for mangagin those risks; you have everything you need to make basic plans about how to mitigate the risks. You might include things like this:

  • We will switch our email to Microsoft Office 365 to be certain our mail gets swept for viruses, archived properly and kept secure
  • We will move our data to a central file serverv
  • We will discourage staff from storing information on their local PCs
  • We will back up vital data every day – with local copies and in the cloud
  • We will store critical customer and business information on SharePoint online
  • Only staff working on a given project will have access to that project’s files
  • We will restrict access to business information like our accounts and payroll to a limited number of people on a need-to-know basis
  • We will set up BitLocker on all company laptops to encrypt files in case they’re are stolen
  • We will security-mark every laptop
  • We will get a security company to check our physical security, locks, and alarms once a year
  • We will update our internet use policy with our lawyers and train new staff about it
  • We will make sure everyone in the company is familiar with our IT security procedures
  • We will do revision training for the whole company once a year to keep the knowledge fresh
  • We will spot-check regularly to make sure IT security is being taken seriously, and our protocols followed properly

It’s a reasonably simple exercise, but even a basic IT security plan can save you a world of pain. If your business is medium sized upwards, you’ll need professional support to create a workable IT security plan – that’s what we do, so do call us if you would like to informally dicuss this.

No Comments

Post A Comment