Platt Perspective on Business and Technology

Online store, online market space – part 17 and online security – 3 and performing a more detailed needs assessment and follow through

Posted in startups, strategy and planning by Timothy Platt on August 10, 2010

At the end of Part 16 of Online Store, Online Market Space I said that my next posting in this series would offer a more detailed discussion of areas of vulnerability and how to remediate them, for online security. I am going to do that and will also at least briefly touch on issues of physical security as well, as the two cannot be entirely separated in the real world.

The first place to start has to be with your employees, and yourself as a business owner. And in this, I take the word “employee” fairly loosely to include anyone who has authorized access to data that may be generated, captured or stored however briefly by your business. This would include third party service providers and consultants, part time help and anyone else who has or may have access to the data you have in your systems.

• When you hire, know who you are hiring – do your reference checks and if you are hiring for a position that would handle sensitive information do at least a basic background check as well. There are third party services that do this for businesses in helping them complete their hiring due diligence and this is money well spent.
• Train the people you hire into your information security practices and have a set of basic guidelines in place (e.g. no sharing of logins or passwords, and no posting of passwords on sticky-notes on the side of the monitor.)
• Add adherence to basic information security practices to the performance review criteria that you evaluate employees by, and make that fact known from day one of hire as a part of initial employee onboarding.
• And select and implement systems that are easy to use correctly and according to good information security practices. So for example, citing the almost poster-child security failure, use passwords and insist that they be of at least some minimum length and not simply be a text string like the word “password”, but use pronounceable non-word, non-name passwords where possible (e.g. ones like lev6dev) as they are easier to remember and less likely to be inappropriately written down. Help your employees help you in maintaining good information security by making it easier for them to do this right.

You will be collecting a great deal of information in the course of your business, and in this context I cite a recent posting: Building a Client Base – part 3: determining what data fields to populate and what data not to collect. Plan out and understand how your system is set up for processing and storing this information.

• Online data submissions through online forms and related resources will go directly into a database system, but if you also take orders and offer customer service by phone, does this also go directly into that database, or do you have a separate system for CRM?
• Does some or all of this data go onto paper for later transfer into electronic form, and if so when and under what conditions is it transcribed into your electronic database?

Single, flexible systems that allow for direct entry into secure database systems without ever having to capture personal information or other data on paper is more secure, less subject to error from faulty data entry, and less expensive than having incomplete and disconnected, or duplicative systems. In this, starting out with an incomplete or faulty system because it is less expensive up-front may very well mean you have a more problematical and expensive system going forward.

Know where your data is. If you select an “in the cloud” business solution for your data storage, neither you not your storage service provider may know what specific servers your data is being stored on but know what you can, and certainly for any in-house computers your data is stored on, and for any backup media you maintain. Knowing where your data is physically is the first essential step needed for securing it physically as it is the backup copy that is simply left out collecting dust in the open that will be your point of due diligence and security failure.

You have a small business with a limited budget. This is not the series where I would go into established business issues such as biometric server room security and simply add that servers can be standard desktop computers with:

• Server software (e.g. freeware, open source server software solutions such as Apache server),
• Database software (e.g. open source solutions such as mySQL), etc. loaded onto them.

These need not even be particularly high end computers – they only need to be working and reliable and able to handle the memory and storage needs your business faces and that your selected software calls for. And for a small and startup business, server room security may simply mean having and using a lock on a door. Just make sure your room selected is going to stay reliably dry and not overheat too much. In this regard, I remember seeing a server computer that was stored in a bathroom vanity under an old sink. I got them to move it before they had a sink overflow which would have fried their computer system and mention this to suggest you do not want to see the accident they missed seeing.

• Store your backups (e.g. flash drives, CD’s or whatever in a physically separate location from your server or other computer you keep your live database copy on.

Once again, I mention this from experience in seeing what happens when both main working database and backups are caught up in the same incident from being shelved together.

Use the security features that come with your operating system and other resources.

• Have your server and other business computers set up with login requirements for accessing the desktop, and with a requirement that a user re-enter their password if they are away from their computer for more than some number of minutes.
• Password-protect key folders on your business computers, and certainly folders where only some people who would use that computer should have access privileges.

I could keep on adding more specific details like this, but will instead step back to offer a more general and perhaps generally useful comment as a final thought to this posting. Good information security is all about planning and execution – thinking through the details, following through on them consistently, and keeping track of and record of what you do and when you do it. And in this is it all about asking “what if” questions and looking to limit the likelihood that unwanted events happen. Here the very best overall information security systems are ones where nothing ever really happens that can be seen as reaching a crisis or otherwise exciting threshold, and any incidents that do begin are simply handled by backups and planned for contingencies – or stopped before any harm can happen.

The next posting in this series is going to discuss exit strategies and long term planning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: