Information Security in small businesses: Where to start?

By July 31, 2020 No Comments

* Rodrigo Dantas

In Brazil, companies in small port in general do not care about the SecurityInformation for believing that they will not be “targets” of cybercriminals and investment is not seen as a priority. The reality shows that it is exactly the opposite: a single attack can affect operations in a catastrophic way and may even cause the closure of its activities by the loss caused by losses of its database, by the theft of its information or by the interruption of its system, whether by a direct attack or the failure of your hardware, for example. What we actually see are actions corrective and not preventive, that is, after the company have already suffered an attack.

The importance of Information Security

For continued growth in the midst of competition, it is important to transmit safety to its employees and customers, regardless of the size of the company. The cost of not investing in ssafety of Iinformation is greater than investing. According to a survey National Retail Federation about 90% of the invasions are directed to the systems of small and medium-sized companies. After an attack and source of extra expenses, these companies also suffer in the scope of public relations and in the loss of trust of partners and customers.

In general, there is a resistance in the idea of hiring a company or expert advice in Information security, but we can cite as an example that organizations may have a contract with an accounting and payroll office, since these companies it has the necessary structure, personnel and the concern to keep information secure, being a more effective, economical solution that will meet the needs of the business. So, why not think the same way for Information security?

Some tips and best practices

The company has a good strategy for Information security when it establishes processes, implements tools and methods, it has qualified personnel - or hires specialized services from third parties - to act preventively in the protection of its data. The following are some tips and best practices for  Information security that can be applied to companies in small:

  • Establish an Information Security policy: The policy of Information security establishes rules and expectations regarding everything from passwords to customer privacy, from physical protection to data classification. Creating a policy requires a lot of effort to ensure assertiveness to business processes organization, as well as easy to understand for all involved (employees, third parties and service providers, for example);
  • Protect your data and make backup: Knife backupof data safely and regularly. If you do not have the knowledge or technology to ensure that your data is safe, hire someone or a specialized company to help you;
  • Keep your systems operating and software updated: Constantly update the operating system as well as the software Most attacks or the spread of virus occur due to some security breaches, small vulnerabilitiesthat the hackers and criminals usually explore. At companies usually fix these vulnerabilities shortly after they are found, so it is very important that you keep your systems up to date, preferably automatically. Always use software licensed because software “Pirates”, you may not have access to these updates leaving your company more vulnerable;
  • Install comprehensive security software: Use software that keep all your resources protected, servers, desktops, notebooks and other connected devices. Keep your systems safety updated and schedule them to update automatically at certain times. Important not to forget mobile devices with Android or iOS against malware. It also has the phishing and others threats common to the Internet, add a layer of safety for banking and payment transactions;
  • Define a complex password policy: The policy of Information security it should cover the use of complex passwords, as well as password expiration criteria to force users to change their passwords every 90 days;
  • Destroy information that you cannot protect: If you collect information third parties like credit card, documents, confidential information, but you don’t have the means to store the information and ensure security, so don’t store it. After processing the information, destroy them;
  • Beware of personal data: To store personal information employees, check that they are safe and control the people who have access to these information. Perform backup securely and if you have physical copies, store them in a safe place such as a locker with keys. For electronic equipment, also keep them physically safe, eliminate the chance that someone, whether an employee, a customer or a random stranger, will steal a notebook or storage device such as USB sticks or an external hard drive;
  • Outsourcing services: If the company does not have the resources or knowledge to handle these activities in a specialized and safe manner, hire a company or consulting to ensure adherence of business processes the objectives of Information security;
  • Employee awareness: THE awareness it is essential for everyone's understanding of the elements of Information Security. As with other areas of safety, you can hire a company that specializes in training of employees. The review of the policy and practices of Information security should occur, at least with periodicity Yearly.


 Enhance Information security is paramount to mitigate the scratchs, prevent the data leakage, preserve the company's image and ensure the smooth functioning of the business. Given this scenario, it is up to the companies understand that the information is one of the most important assets, and should continually improve its Law Suit and make investments to ensure the confidentiality, integrity and availability this.

The purpose of Information security is directly related to data protection company, employees, customers and partners. THE information that is generated, whether by a computerized system or not as important as the quality of your products and services.

* Rodrigo Dantas is GRC and Information Security Consultant at [SAFEWAY]



THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.

Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.


Let's make the world a safer place to live and do business!