Three components that compile a sound data-security strategy are as follows:
Protect Against Physical Breaches
Data security starts at your front door. An alarm system including surveillance cameras will protect your facility in general. Your server room will require systems to monitor humidity, temperature and water on the ground. Also, physical access to all data-storage areas (e.g., filing cabinets, desk drawers, workstations and servers) should be strictly controlled at all times.
Protect Against Technological Breaches
Deploying an effective security strategy will be influenced by a host of factors: budget, IT staff experience and unique company requirements. You may choose to locate the mission-critical elements of your infrastructure on-site, in a secure off-site data center or "in the cloud." Management might be tasked to your in-house IT staff or outsourced to a managed service provider.
As with physical security, protecting your network starts at the edge: A network firewall is your first line of defense in blocking unauthorized access to your systems and data. Current firewalls provide URL and application filtering, intrusion prevention, anti-virus scanning and remote access via virtual private networks and SSL encryption. Many firewall solutions also enable secure wireless connectivity within your office.
Moving inward from your firewall are several additional layers of security you should address. File and folder permissions should be diligently audited on all server resources. Your staff should have access only to documents and applications necessary to perform their jobs.
Also, since e-mail has become the standard method of document delivery in the accounting industry, all e-mails (inbound or outbound) containing confidential or otherwise sensitive information should be encrypted. Additional security measures include Data Loss Prevention (DLP), voice system security, two-factor authentication, endpoint security, full-disk encryption, port protection and client anti-virus and anti-malware.
All of these security measures are for naught if you suffer a server failure or other catastrophic loss of data. A well-executed backup plan is essential; and while there are several different approaches to disaster-recovery planning, most adhere to some permutation of the old 3-2-1 rule. In short: Keep three copies of any important file (primary and two backups); the file should be on two different media (e.g., DVD and external hard drive); and one backup copy should be stored offsite.
Last, your security systems should be tested rigorously for any weaknesses or missing elements. This is usually done by a third party, and typically involves four tests: PCI scanning, internal/external vulnerability assessment, risk assessment and web- application penetration testing.
Protect Against Communication Breaches
Technology alone is not sufficient. The most comprehensive security plan will fail if it isn't clearly documented, and if employees are not adequately trained on it.
Start with a basic documented security policy
A first step might be a policy document governing appropriate usage of company assets: e.g., computer and e-mail usage, personal storage/laptop/phone usage, etc. This policy document can grow as your security policy expands.
Give staff adequate training
Again, a security policy is useless if your employees don't fully understand and agree to abide by it. Schedule training sessions where your staff is given an overview of the nature and breadth of today's threat landscape and how to identify the more prevalent threats: Physical, social engineering, social media, spyware, phishing and fraud.
At a time when so much of your business is conducted online and so much of your critical data is stored electronically, your continued success is more dependent than ever on the success of your internet security plan.
