Security recommendations to protect your data and systems

Information security recommendations

Information Security Recommendations for Small Businesses

We've compiled some information security recommendations that every small business should consider to determine if they apply to their business. These recommendations apply to businesses with digital information assets such as document files, computer equipment, installed systems, computer networks, email, cloud storage, websites, and so on.

Given the breadth of the topic, our recommendations are neither exhaustive nor detailed. The purpose is to provide a general overview and encourage review of the recommendations to ensure compliance, as well as to gather ideas for improving safety and reliability in the workplace.

First, what is Information Security?

According to Wikipedia, information security is the set of preventive and reactive measures of organizations and technological systems that allow them to safeguard and protect information, seeking to maintain the confidentiality, availability and integrity of data.

Below we present the different recommendations classified according to the security aspect to which they belong, and we offer Checklists that will help you, in an easy and simple way, to verify that you are complying with good security practices (these Checklists are property of INCIBE, the National Cybersecurity Institute of the Spanish government).

Information classification

Information is one of the main assets of any company, and as such we have to protect it properly.

Before classifying information assets, it's important to first create an inventory or list of the company's various information assets, focusing first on the most important ones. Possible assets include:

Locations where information is stored: servers, computers, disks, USB devices, cloud services, website, etc.

Important digital documents: contracts, files, financial records, customer files, etc.

Internet services: website hosting service, email service, backup services, storage services, etc.

Once we have inventoried our information assets, it is necessary to classify the files to ensure effective security management based on criteria of confidentiality, availability, and integrity. Some ways to classify assets are:

Confidential. Accessible only by management or specific personnel.
Internal. Accessible only to company personnel
Public. Publicly accessible

Customer and supplier information
Purchase and sales information
Personnel information and internal management
Information on orders and warehouse processes

Image damage
Legal consequences
Economic consequences
Stoppage of activity

Here you can find a guide on Information Security for SMEs.

Information backup

Storage media contain one of our most valuable assets: information. These devices can be affected by situations such as theft, fire, flood, power outages, breakage or device failure, viruses, accidental deletion, etc. In these cases, we would be unable to access our information, potentially jeopardizing the continuity of our business.

white disc on laptop computer disc player

Some recommendations are:

Include in the information asset inventory the most important assets that require backups.
For each asset, identify: responsible parties, type of backup, where it is backed up, how often it is backed up, and the validity period of the backups.

Frequently perform recovery tests to ensure that backup media are reliable.
Ensure that only authorized personnel have access to the backups that correspond to them.
If possible, keep backups encrypted that are confidential and are uploaded or backed up to the cloud.

Information integrity

Information integrity refers to ensuring that data, or information assets, are free from unauthorized modifications, and that they are complete, intact, and available for use by company members without issue.

The main enemies of our information integrity are viruses and malware, which contaminate and corrupt it. Computer viruses are programs designed to replicate and spread, often with the goal of damaging computer systems and the data they contain. Malware, on the other hand, is a general term encompassing a variety of malicious software, such as viruses, worms, Trojans, ransomware, and spyware, which can compromise the security and privacy of information. Both pose a significant threat to information integrity, as they can alter, destroy, or steal data, which can have serious consequences for individuals and organizations. It is crucial to have robust security measures, such as antivirus software and firewalls, as well as sound cybersecurity practices, to protect information integrity.

a black and white photo of two chess pieces

Some recommendations for protecting the company's information assets are:

Use antivirus and antimalware systems on all computers in our company, protecting files, email, and web pages.
If we have antivirus systems, it is important that they are up-to-date and easily accessible to staff.
It is recommended to define which applications are permitted for use by staff, and each user should monitor and ensure that the equipment under their responsibility only installs permitted applications.

When browsing the internet and providing information on websites, we must first verify that the site has a valid digital certificate to prevent the theft of information or passwords by third parties.
If we connect to a wireless network, we must check that it uses at least the WPA2 protocol.
It is not advisable to use networks or WiFi of unknown or unreliable origin when we need to access sites that require our password or where sensitive company information is exchanged (email for example).

Here you can find some useful checklists:

Password management

Passwords are one of the most important aspects of securing our information systems. Weak or poorly protected passwords can facilitate unauthorized access to and use of our company's data and services, so it is essential to have policies and best practices in place for defining and using them.

a close up of a metal object with numbers on it

Some key aspects you can consider are:

It is not recommended to use default passwords or passwords consisting of a single grammatical word or proper names.
A robust and commonly used format for creating passwords can be established by company personnel, taking into account the size, characters that should be included, and even how often we should change them.
Try to enable two-factor or multi-factor authentication (for example, a password plus a token on your phone or other device) on all services where this functionality is available.

Of course, never share passwords or write them down on paper, much less on a post-it note on your monitor.
When accessing a website, verify that it has a digital certificate.
Use a specialized service or software to store passwords.

Information storage

An open book with a red swiss army knife

Information assets can be stored in a wide variety of locations, such as removable devices (USB drives, CDs, DVDs, etc.), as well as on company equipment such as servers, desktop computers, laptops, or on cloud services such as OneDrive, Google Drive, Dropbox, or on our website, or services such as our company intranet (SharePoint) or source code repositories such as GitHub or BitBucket, etc.

It is important that we always keep in mind where our most important files are stored, as well as knowing at all times what the most recent version of them is and where to obtain a backup in case of an emergency.

Some recommendations regarding information storage:

In general, try to avoid using removable devices for storing information assets, as it's very easy for them to fall into the wrong hands, or for files to become corrupted or outdated very easily. If you do use removable devices, at the very least, you should password-protect them to make unauthorized access more difficult.
If we use cloud storage, we should give preference to storing information assets on secure and reliable services that guarantee we can retrieve the information and that it is managed confidentially on their servers.

For data storage on company equipment, it is important that these resources have access controls and appropriate backup mechanisms. If laptops are used, access to the device should be properly secured with a password and, if possible, with data encryption mechanisms so that in case of device loss, company information cannot be accessed.