I am not talking about security auditing the business, investing in security technology and such, but instead I will refer here to some simple but important measures any company should take in protecting their business. It's about legal protection.
Let's start with a series of possible scenarios asking you if they seem familiar to you:
- a company having their main advantage on the market in front of the competition the clients database or a certain know-how; one of the employees stoles this data from the computer, sells it to the competition or creates his own company
- employees which are not forbidden to take home important digital data on a disk or USB key, and who loose the data or damage it - causing the company important losses
- upset employee leaves company knowing the passwords and access codes to company servers or intranet and uses this knowledge to cause damage to the former company
- keeping accounting data and other important business data on computers to which several persons have access and use the computer for other purposes including surfing the web, using social media sites, downloading and installing software, etc.
- companies who do not create specific job requirements and descriptions for personnel using computer inside the business.
A truth often ignored or not known by entrepreneurs: an important business risk when it comes to computer and Internet usage in the company is posed by the misuse (by mistake or on purpose) of the company's information technology infrastructure by the employees.
The first solution for protecting your business should be the legal protection which has two components:
- defining a computer usage policy and general conduct inside your business
- the employees signing that policy that they acknowledge the contents and agree to respect it
- a specific job description for employees using computers in your business - which enumerates the obligations and specific duties and responsibilities of the employee when using the computer
- a non-disclosure agreement - in which the employee agrees to keep the company's confidential data secret and not to disclose or in any other way take data outside the company and that he/she will not use it in event it leaves the job. This document should also define what is understood by company's confidential data.
- internal policy for computer usage - a more general document signed by all employees in which they acknowledge the general conduct they should have when using computers at work, who is allowed access to which computer, if they are allowed to transmit data outside the company, if they are allowed to use social media sites and other communication aside from what is needed for work, etc.
In my experience at least here in Romania, if such documents would exist in every business and if they would be put into force, more than half of the computer related risks for the business would disappear.
If they existed but are not put into force, the company has at least open access to legal action against the employee, these documents defining grounds for bringing to justice the misconduct of an employee.
Romanian laws define computer related crimes such as data theft, illegal access to a computer, damaging computer data, etc., pretty well. All the employees should know these and act accordingly inside the business. The three documents I recommend are meant first as prevention, letting the employee know the conduct he/she must adopt, and second, as grounds for legal action if needed.
Doing business in Romania? My advice is to contact your attorney or a specialist to check the status of the computer usage policy in your company and to help you draft it or adapt it if necessary.