When should a new business consider Information Security?

I recently sought some advice from a small business who required copies of my identity documents. When I questioned how they stored these copies, it got me thinking about start-ups and freelancers who (bravely) leave the corporate world behind… and with it they leave the governance and structure that a corporation might provide when it comes to security. 

So…to all new business owners (big and small)….have you thought about information security, cyber security and privacy? Protecting your company information as well as that of your clients’ such as planning how and where you will keep documents (both hard copy and soft copy), protecting your intellectual property and complying with security related laws (to name a few) need to be a priority. These are often forgotten while drumming up business and setting up systems for dealing with clients. 

As your business grows, (which for some is rapid) even more tasks can cause security to take a backseat - like employing more staff, moving out of the beanbag at home and into a permanent office and creating more products for your eager clients. These are all important activities to focus on.  But another area of focus, equally as important, is the amount of risk being carried thanks to people, paperwork and IT systems. The risk of an information security or cybersecurity incident materializing would be detrimental to your business. Remembering also that it’s not always criminals - sometimes its employee error that can cause an incident. It is critical that you understand and manage the risks to information, systems and networks that support you to prevent or at least minimise the impact of an incident.

A great way to understand your information security needs is to begin as you mean to go on. Start when you are shaping your business by looking at the services you offer - will you collect personal information, payments and credit card data or do you need to create documentation that could be later used in a court of law (it happens…). Considering how to handle this sensitive information should be a part of your business planning and value proposition as your customers are putting trust in you…so much so they may simply assume you have the protection of this information covered (and we have talked before in my blogs about assumptions…)

It won’t be necessary to write security policies like novels from day one (or hopefully ever!). Information security doesn’t have to be too difficult or painful and should be resourced relevant to your business needs today. Taking some time to understand what information requires protection will help you to know where to focus your efforts. Seek advice, if you’re not comfortable you have the knowledge, about the best mechanisms to protect the information you use in your current operations. When it comes to information security risk, have you thought about your business and those you interact with?