August 12, 2014

9 Information Security Tips for Start-up Businesses

If you are one of about 543,000 businesses that reportedly start up every month, it is critical that information security is part of your business plan.

Start-ups are becoming popular targets for cyber criminals, according to a blogger at

“Smaller businesses tend to have fewer security mechanisms in place – making it easier, quicker, and less risky for a cyber criminal to access data.”

Of course, there are many other reasons to create a culture of security in your workplace from the get-go, not the least of which is the cost of a data breach.  

The 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, showed that when sensitive and confidential information was lost or stolen, the average cost to a company was $3.5 million in U.S. dollars, and 15% more than what it cost last year. The research shows that reputation and the loss of customer loyalty does the most damage to the bottom line.

That’s not good for any company, particularly a new business, which is still establishing its customer base and reputation.  

What are information security best practices for a start-up?

  1. Understand your obligations. Research the privacy laws and legislation that are relevant to your business. Data security is your legal responsibility – to properly secure and dispose of sensitive information such as financial data, customer information, employee files, etc.
  2. Create a written information security policy. Detail how sensitive data is identified and protected in and out of the workplace with specific guidelines for your mobile workforce. According to The Human Factor in Data Protection study in 2012, 56% of employees very frequently or frequently stored sensitive data on their laptops, smart phones, tablets and other mobile devices.
  3. Introduce document management procedures. Only collect and retain the personal information that your business absolutely needs, and create physical access control of those records, recommends The Global State of Information Security Survey 2014.  Arrange for data back up. Keep an inventory of sensitive information with disposal dates clearly marked on both electronic and paper files.
  4. IT Protection. Utilize the latest and best technology safeguards for prevention, detection, and encryption.  The Human Factor study showed that 65% of small businesses said that, in general, their organization’s sensitive or confidential business information is not encrypted or safeguarded.  
  5. Educate your workforce. Provide regular training for employees on information security best practices. This is key.
  6. Emphasize physical safeguards. Make it a policy that workplace guests must sign in, there are locked consoles for documents that need to be destroyed, and there’s a Clean Desk Policy to remind employees to protect information at all times. More than three-quarters of employees leave their computers unattended, according to The Human Factor study.
  7. Implement a security risk assessment schedule to identify security gaps – and provide solutions.
  8. Supply chain. Before forging any business relationships, evaluate potential partners to make sure they are committed to information security.   
  9. Secure document destruction. Partner with a document shredding company that provides shredding services for both paper and electronic documents that are no longer needed. The company should have a secure chain of custody with on and off-site destruction services and a certificate of destruction after every shred.   

The State of the Information Security Industry 2013 highlights trends in information security and how companies can protect themselves.