The American Institute of CPAs recently polled their members in an effort to discover their top 10 technology issues for 2005. The CPAs that responded to the poll placed “Information Systems Security” at the number one spot on the list!

When most people think about Information Systems Security (we’ll call it data security), they think about protecting their systems and data from an Internet attack; a hacker, virus, worm, or spyware. And that’s good, because today’s Internet is a very dangerous place and prudent users should take every precaution to suitably defend themselves from the risks. Every business and home computer that connects to the Internet should be protected by a properly configured firewall, and regularly updated virus protection and anti-spyware software. Additionally, each system should have the latest security patches installed on the operating system and application software. Microsoft is constantly searching for vulnerabilities in their software products. When they find a weakness, they develop a security patch to fix it. These patches are made available to the public on the second Tuesday of each month, called “patch Tuesday.” If your system is configured to automatically download and install the patches, you’re good. If not, you need to take action to manually retrieve and install the appropriate updates. It is extremely important to get these security patches installed soon after they are released. Patches were available that could have prevented several of the most recent worldwide virus/worm attacks. Unfortunately, users had not installed them, and consequently suffered a business disruption.

Beyond those “externally” focused security measures, you need to also protect your data from internal threats. Two of the most often overlooked internal threats that lead to data loss, corruption or compromise are: 1) unauthorized access by an employee and 2) equipment failure. A recent FBI survey of anonymous companies showed that 70 percent of computer intrusions come from people associated with the company. To protect your data from this internal threat, you need to implement access controls. This includes physical access, as well as network access. A fundamental way to do this is to provide employees with only the necessary rights and privileges needed to perform their jobs. For example, you wouldn’t think about giving a new employee a set of master keys to your building and file cabinets, because in most cases they wouldn’t need access to everything in the building. However, if your data resides on an unsecured server or is distributed across your desktops, you may be inadvertently allowing everyone easy access to anything they want. To fix this, you need to utilize the built-in security features of your operating system and restrict user rights and permissions.

And lastly, you need to protect your valuable data from loss, theft, or corruption by performing regular data backups. Creating a proper backup plan, and then executing it seems to be a very difficult chore for many small businesses. Nevertheless, it is a critical discipline that should not be overlooked. If you are not 100% sure that your valuable data could be recovered if it were lost or corrupted, then you need to invest the time to ensure that it is.

If you’re not sure where you stand on these data security issues, you should consider discussing your concerns with a qualified IT consultant. They will be able to advise you on the best way for you to protect your business from both the external and internal threats mentioned here, as well as other threats that may be specific to your unique business environment. Their professional guidance should give you peace-of-mind, knowing that when something bad happens, you’ll be able to gracefully recover without significant pain.