Risk Management

Recently I was helping a friend at her small business office. Since it was just the two of us, we didn’t worry too much about security, but looking back I wonder if we should have been more concerned. We were focused on putting systems in place and not on risk management. Anything beyond passwords, locking computers before we walked away from our desks, and installing firewalls was well beyond our scope of expertise. We’d share passwords that gave us the same access to confidential client information. While it was convenient, I wonder if we were naive in thinking this was an ideal way to scale a business. By the time I left, we had four other employees and the same security access as when I was the only employee.

If you’re managing a small business, what risk management steps are you taking to protect company assets and client information? It may be time to consider a risk management assessment.

Tips for Small Business Risk Management

Whether you’re just getting started or you’re an established small business, there are areas of risk management to be explored. Do you have a firewall? Are employees sharing passwords? Do all employees have the same access to data, and should they? These are the kind of questions we may ask as we conduct a vulnerability assessment. No need to be embarrassed; we simply want your business to be as protected from threats as possible.

  1. Establish standards for passwords. When I was a kid, I loved the movie Spaceballs especially that part where the president yells out his password as 1-2-3-4. He then quickly says it’s also the number for his luggage. The scene may have been good for a laugh, but it’s also a great way to illustrate the need for complex passwords. The reason is that one of the easiest ways to access company data is by hacking company email. By establishing standards for password formatting and a required password update every month or quarter, there is less risk.
  2. Back up data. In case of a breach and/or to comply with standards, we recommend having a plan to back up data, including the company website. As someone who has had their website hacked, I can say with certainty that having a backup of the website is the best way to get the site up and running again. At the very least, data can be reinstated from the last back up.
  3. Create a business continuity plan. In case of manmade or natural disaster, a business continuity plan will support the business getting back up and running by first checking in with employees and then getting infrastructure reestablished. Key players in each department are named along with the tasks they need to complete and in what order so that data can be protected, and even moved, as needed.
  4. Protect from silo-ing. Your business can be at risk if departments are acting on their own without regard for what others are doing. We call those silos. Instead, each department should recognize its place in the complete process so they can better understand how what they do impacts others. If one department has a process for when the power goes out or the server goes down, and another department has a different plan, that could easily lead to compromised data, and even a risk management issue. Instead, create plans that bring everyone together.

When it comes to risk management, the more communication you have with your teams and with your Managed IT Services provider, the more secure and efficient the business will be.