Table of Contents Hide
Small and midsize businesses are increasingly being targeted by cybercriminals—but they often lack the resources and expertise to develop comprehensive security policies to help defend against threats. These companies also have done little yet to fully comply with the Data Privacy Act of the Philippines which is being implemented by the National Privacy Commission (NPC).
Let’s look at some of the issues:
IT staff systems/data access policy
IT pros typically have access to company servers, network devices and data so they can perform their jobs. However, that access entails risk, including exposure of confidential information and interruption in essential business services. Guidelines for governing access to critical systems and confidential data are needed.
Encryption offers a means of protecting data in transit or stored on devices—but organizations must follow proven methods and adhere to current standards for it to be effective. There are tested and recommended encryption technologies to help secure your corporate data.
IT physical security policy
You need a policy that will help your organization safeguard its hardware, software and data from exposure to persons (internal or external) who could intentionally or inadvertently harm your business and/or damage physical assets.
Information security policy
To protect your information assets, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, IT staff and supervisors/managers. You need to establish rules and guidelines to secure your company data.
Password management policy
Password-driven security may not be the perfect solution, but the alternatives haven’t gained much traction. You will have to look at best practices that will make password protection as strong and manageable as possible.
Electronic communication policy
You require a policy that provides guidelines for the appropriate use of electronic communications. Such policy should cover privacy, confidentiality, and security and is intended to ensure that electronic communications resources are used for appropriate purposes only.
Intrusion detection policy
A clear and concise plan of action will help counteract any intrusion into an enterprise network and mitigate potential damage. You need to establish guidelines and procedures that your organization can follow when your computer network is compromised.
There are organizations that can help SMEs with special programs. The idea is for you to learn Data Privacy and Protection in a simple way, allowing you to immediately start a privacy management program across your organization, translating your privacy vision to your operations down to every employee in the company.
Legal and operational compliance seems to be a daunting activity often confusing and complicated. It should not necessarily be. The difficult can be made simple to comprehend and deploy. Using a best practices framework approach, you can now start a culture of data privacy and protection in your organizations.
Even for SMEs, there is affordable automation software available, for instance the Data Protection Management System (DPMS), a Compliance Collaboration and Management Tool that helps companies to productively manage the process of governance, risk and compliance with new data protection laws. Remember, data breaches are costly and criminal and can easily ruin your company’s reputation.
If assistance is needed or you want to comment on this content of this column, please contact me at Schumacher@eitsc.com.