The internet has made it extremely easy to exchange information, which is great for small businesses, but also could pose a threat to your data if care is not taken.
The first stage is to identify where all your information is being stored and categorise it between Public and Highly Confidential.
Next you should identify all threats and vulnerabilities to this data. This need not be technical threats as employed by computer hackers. Instead these threats may be simpler but also more damaging. Could you stop a disgruntled under performing sales executive take a document containing all of your client and sales information to a competitor? Would you know if this had happened?
The next stage is to risk assess all of the threats and vulnerabilities you have identified to produce a risk score against each one.
For Instance a threat could be...
Client Sales History files are accessible by all users therefore there is a risk of data leakage by a disgruntled employee
This could have a serious impact (4 out of 5) upon the business and as we have a high churn rate of sales people then the probability could be high (3 out of 5).
We calculate the risk score by multiplying the probability by the impact giving us a risk score of 12.
Once all these risks are collated into a central point we can then sort each threat by risk order.
You can then produce action plans on high risk areas to lower these risks. This could be as simple as revising an internal procedure or as complex as installing new systems.
In the above example risk reducing action could be to
Compile list of all users who need access to Client Sales History. Restrict access to only those users that need it. Also split documents down by sales area
By limiting access then we can lower the probability to 1 and by splitting the documents down by sales area then we are reducing the impact of a data leak to 2. This then leads to a residual risk score of 2
With some items your company may not be able to reduce the risk. In this case you may well elect to accept the risk. However the fact that you have identified the risk and can review it at regular intervals will be an achievement in itself.
Steve Clarke
PragmatIT IT Ltd
As we cannot be experts in every relevant subject, we would love to receive 'guest' articles that may be of interest to anyone running their own business or thinking of doing so. ADD YOUR ARTICLE
