IT Security from A to Z: A Practical Guide for Business Owners

If you're in IT, security is part of your job. Hackers never sleep, which means you can't, either. Part of staying on top of your game is constantly boning up on what's new in the world of information security, or "infosec".

Since hackers now target every type of business, not just the Sonys and the TJX's of the world, that leaves the small- and medium-sized business owners at risk, too. On top of everything else you do, however, staying current on infosec might make you feel like you've gone back to school: constant studying!

If you're a business owner, not an IT professional, this guide is for you. You may not feel that your current skillset is in alignment with the task of conquering IT security. It may not be, but this guide gives you a good foundation for moving forward on cyber security for your business.

IT security may not be part of your job right now but it should be. This guide gets you headed in the right direction, so let's begin.


Know what to expect from an audit. There are several types, of course, but one example is the data privacy audit. Do you have the proper confidentiality controls in place on all your databases and other systems? Is the application server that handles personally identifiable data compliant? Know what they're looking for, so you'll be better prepared to pass an audit.


No matter how hard you protect your data, breaches can still happen. The key point here is to know what to do if and when a breach occurs. Will you halt all operations? Will you need to call someone in? Does your online shopping cart need to be taken offline? Breaches don't happen every day, but you should have a contingency plan in place.

Cloud Security

One way to stay secure is to manage your cloud security with an integrated approach. That way, you cloud security snapshot is visible across your entire array of cloud services, not just piecemeal.

Encryption plays a role, too. When data is transferred between the cloud and your internal network, encryption should be used in full force.

Make sure you're protecting data in real time. Also, threats are constantly developing, so stay on top of things either by using a third-party resource such as a security blog, a threat database vendor, or constant training. Actually, making use of all three is a great idea!

Finally, work with your cloud app vendors to put secure practices in place, including identity management and multi-factor authentication. For more on identity management, keep reading.

Disaster Recovery

Knowing what to do when there's a breach is important (see above). Part of that is planning for recovery from a variety of disasters... system crashes, power failures, and whatever else you can think of.

Devise a solid plan for every disaster imaginable, spell it out, and make it accessible to all those who need to know about it.


Increasingly, employees are a major source of risk when it comes to IT security. This is especially true if you allow bring-your-own-device (BYOD).. Accessing company resources on personal devices should be managed carefully. Use two-factor authentication, for starters.

A guide to best practices is a good idea for all our employees, too. A little training will make your company much more secure.

Financial Risk

Part of a good IT security plan is knowing how much is at risk. Companies lose billions every year to data security breaches. Knowing what's at stake financially can help you allocate or ask for the proper level of resources for security.

Going Outside the Company: Vendors & Contractors

If you transfer data to or from another company or vendor, is that process secure? Is data encrypted? What are vendors' policies about IT security and data privacy?

Handling Insurance

Cybersecurity insurance, cyber liability insurance, data breach insurance... you name it, it's out there. Some companies find it an invaluable tool for protecting their resources (financial and otherwise). From hiring a security expert after a disaster to paying up after civil litigation, the cost can be tremendous. Insurance can cover these expenses and more.

Identity Management

You may have a hierarchy of positions at your business, where some staff should have access to certain digital resources but not all of them. Knowing who needs access and why is crucial to protecting those resources. Why give everyone the key to the safe?

You'll need to carefully scrutinise the roles and needs of your employees before you set up access. This is called identity management.

Job-Specific Security: Retail

Retail security (in the digital realm) is a multi-headed beast. You'll have to consider point-of-sale measures, credit card security (PCI Data Security), and Wi-Fi security.

On the credit card front, you'll need the technology and the know-how for complying with new PCI data security standards for processing credit cards. For starters, only use vendors who use PCI-compliant technology.

If you have Wi-Fi at your store, Wi-Fi security is a top priority (see below, Wi-Fi).

Keeping Data Safe

Time out for a mini refresher course. These are the basics of keeping your data safe:

  • Use encryption if you're storing data on laptops and desktop PCs
  • Protect everything with strong passwords
  • Restrict access to data that's sensitive (see Identity Management, above)
  • Purge old data you don't need
  • Have a plan for when breaches occur


Since responsibility for IT Security has migrated out of the IT department and into the rest of the organisation (see below Organisational Structure and Your Role), leadership is key. For everyone to hop on board the security train to success, it all has to start with leadership.

Company leaders need to stress the importance of forming a culture of data safety and security. That way, managers have the proper backing to implement their methods for getting everyone to comply.

Mobile Security

With mobile devices in the mix, nothing is safe. You'll need to find a way to work smartphone protection into your security plan. That goes for laptops and tablets, too, as well as any other portable devices used by employees these days (the list is growing!).


The first step to providing serious information security is setting up your network properly. You may need outside help with network security, but basically, it consists of:

  • Configuring your network for maximum security
  • Detecting when that configuration has changed so you can troubleshoot
  • Responding to problems as quickly as possible

There's no such thing as absolute network security, and it takes constant vigilance to maintain proper configuration. At the very least, you'll want to get a good firewall up and running properly. That will protect your internal activity from a majority of risk that comes from the Internet.

Organisational Structure

These days, responsibility for information security rests with everyone in a company. IT is no longer just a technical matter involving firewalls and antivirus programs (see below, Your Role). Now, it's up to everyone to practice good security, follow best practices, and know about IT security.

Password Management Security

This is part of identity management (see above) and can involve password-management tools. Employee passwords are a huge security weakness, so encourage employees to use such a tool. This might require training so they understand why it's important.

Rules & Policies

After getting leadership buy-in for IT security, the next most important step is to quickly establish rules and policies. Start with a good IT security policy and you'll pave the way for better adherence down the road from all your employees.

According to experts, here's what your policy should cover:

  1. The importance of data protection and compliance
  2. The different types of data your organisation handles: staff, customer, intellectual property, etc
  3. What your business does to comply with data protection regulations
  4. Who in your organisation is responsible for overall IT security
  5. The rights of access of the people whose personal data you process
  6. Relationships with third-party vendors, partners, consultants, etc, and how data is handled between you
  7. The specific techniques your business uses for IT security, but not too detailed, as that could create security risks
  8. How IT security in telecommuting is handled
  9. The consequences of violating company IT security policies

Social Media

Hackers see huge ROI on targeting users of social media, so you and all your employees should be aware of the risks. There may be little you can do from an IT perspective, but as a business leader, you can do much to educate your staff.

Twitter and Facebook and sites like them are prone to worms, hijacking of accounts, and spammers. In 2009, U.S. President Barack Obama's Twitter account was hacked. More recently, Twitter was hacked again and this time it was the accounts of Forbes, UNICEF, Nike Spain, and the European Parliament, among others.

For your company social media accounts, be wary of third-party apps. Many vulnerabilities occur through these, so go through your settings regularly and revoke access to anything you don't need.

Secondly, activate two-factor authentication for an additional layer of protection when signing in.

The Internet of Things

Encryption is key if you're going to build security into your IoT framework. Use encryption to authenticate the devices on your IoT framework. Use VPNs (virtual private networks) to protect sensitive data during transfer between machines.

Access control is important, too. Allow staff access to IoT devices only when necessary. Finally, make sure you stay current with patches and updates going forward.

Understanding Pen Testing

Pen testing stands for penetration testing. The Pink Panther's Inspector Clouseau had Kato to keep him on his toes with his surprise attacks. Pen testing is similar. Someone tries to penetrate your network and get past your security, all in the name of testing your defenses.

Vulnerability Management

You'll need to know a little about vulnerability management, too. There are software programs that help you do this. Essentially, vulnerability management consists of following important tasks:

  1. Discovery. Network assets are 'discovered', which means cataloged, categorised, and assessed. It's much like a complete inventory of your digital assets. After all, you can't protect it if you don't know it's there.
  2. Reporting. This is an even deeper analysis of the data your business holds. It's necessary for completing the next step...
  3. Prioritisation. You'll want to prioritize what you've found during the Discovery phase so you know which security measures are most important. These are the digital assets to which you'll want to divert more security resources.
  4. Risk Response. Now that you've got your data categorised and prioritised, you'll want to devise a plan for mitigating risk for each type.. Responding to potential risks comes in several forms: correcting risk, reducing risk, or accepting risk.


As for Wi-Fi or wireless security, offering your customers wi-fi in your store is a wonderful idea but it brings risks. Even if you're just using Wi-Fi for your back office operations, keep undesirable activity off your network.

Encryption and authentication are the name of the game here, too. Authentication practices should be followed for user access to the network and to computers in your store. Encrypt your data when it's in transmission and when it's simply being stored. To encrypt, go to the settings for your router, search for WPA2 and enable it.


There are many other small security issues for small- and medium-sized business owners to think about. We haven't mentioned supply chain security, for example. The best way to stay informed on all the 'extras' you'll need to know about is to subscribe to a good IT security blog.

Your Role

IT security is no longer just a technology issue. It's a leadership matter, where looking at the big picture is essential to success. The role of the IT security person at an organization, whether it's the founder of a small operation or a dedicated staff member, is to design company-wide structures and policies that affect everyone.

Technical tasks may even be outsourced or delegated. It's not unusual for bigger companies to have an executive position such as VP for Information Security, for example. Another title we're seeing more and more is Chief Information Security Officer (CISO).

Zooming in on the Future

Finally, we'll end with a look at what's to come. IT professionals will need to become even more agile and flexible in the face of digital change. That change will pick up, to be sure, and businesses who want to stay viable will need to keep up. That means security practices will need to be ever-more adaptable and resilient as technology and security risks become more complex.

You're well on your way to becoming secure, simply by having read this guide. With this basic framework in mind, you should now be ready to dig in and start implementing some of the ideas you've read about here today. Good luck, stay secure, and keep learning!

Previous Post
Next Post