Writes and Wrongs of Online Security

Every business has its own policy, says WatchGuard Technologies' Steve Fallin. Putting the code on paper is when things get tricky

A written security policy outlining how technology should -- and should not -- be used is essential for any business, be it large or small, says Seattle-based WatchGuard Technologies's Steve Fallin, who has posted a free guide on his outfit's Web site which entrepreneurs can use to create effective policies. Smart Answers columnist Karen E. Klein recently spoke with Fallin, director of the WatchGuard's rapid-response team, about the importance of security policies and how they can be established in-house. Edited excerpts from their conversation follow.

Q: Are there many small companies that don't have security policies?


We like to say that security policies are like noses: Everyone has one. Every company is working under a set of assumptions when it comes to securing technology. Your security policy is there, even if it's as rudimentary as, "Everybody can use their computer to go to the Internet, but not everybody on the Internet can come into our computer system."

That said, we find many small- and medium-sized businesses that haven't written down formal security policies. They probably tell new employees about passwords, use of e-mail, and logging into the company accounts from home, but they may not have anything formalized.

Q: If everyone knows the policy, why does the company need to write it down?


Did you ever play the game Telephone -- where a sentence is whispered from one person to another down a line? It's rare when the original message doesn't get jumbled by the end. Unless it's in writing, everyone will have a slightly different idea about the details of the security policy.

Also, there are more and more issues that should be covered in a policy: What happens when an employee brings in some software and wants to install it on his computer? What about employees getting personal e-mails at work with jokes and pictures or files attached? What about the road warrior who logs into the system from a remote computer that she also uses to download videos?

All these things impact the company's security, but too many business owners don't think about them until after a virus hits the system or the company's data has been breached.

Q: Why is it that companies don't have formal policies?


In our experience, the actual writing and maintenance of the policy gets bogged down because people seem to think it has to be 100% perfect and it has to be extremely complex and comprehensive. When you're trying to make something perfect, you wind up with bureaucratic inefficiencies and pointless wrangling. When that happens, either the policy is never totally agreed upon or it's abandoned altogether.

Q: What approach do you recommend?


We tell clients to take the knowledge they already have about company security, codify it, and then write it down. It doesn't have to be complicated. In fact, simple policies are the best. It also don't have to be perfect. We use a quote from Patton on our Web site: "A good plan, violently executed right now, is far better than a perfect plan executed next week."

Once the basics are written down, the company should take a step back, come back in a few weeks, and review it. Have you covered everything you need to? Have you considered all the angles? Some distance should give you time to think about what you may have missed on the first pass and a chance to complete the policy -- for the time being. It should be updated several times a year, or as needed when a question arises that's not covered in the policy.

Q: There are IT consultants who specialize in devising security policies for smaller companies. Are they worthwhile?


Small-business people know they need to have something in place -- their lawyer may have told them, or they may be subcontracting for a larger firm that requires it -- but they're not sure exactly what they need. Even thinking about drafting a new policy is a big, painful, scary thing. So there are entrepreneurs whose reluctance to write a check is less than the pain of thinking about doing this themselves.

There are benefits to hiring a consultant: [You have] someone [who] is completely focused on this task, which keeps it moving forward and takes the major burden off of the business owner. But it's not necessary to outsource the job, and it's often not cost-effective, because you're paying an outsider to learn your business and then articulate something you probably already know. Expect security consultants to charge something similar to what you pay your CPA -- perhaps $150 an hour or more.

Q: What about those who want to do it themselves, in-house. How does your online guide help?


We created our white paper with the idea that [pretty much] anybody...can draft a security policy. Basically, if you can answer questions about your business IT environment -- or if someone on your staff can do that -- you can write your policy. What results doesn't have to be perfect, but it will be ready to use right away, and open to review, input, and revision.

Q: What areas should it cover?


What we recommend is an overall document that describes general principles and fundamentals of company IT security and sets expectations at a high level. The goals are to keep the business safe now and proactively minimize the security risk in the future.

Then you follow up that document with short, specific pages that handle details like Web use, e-mail passwords, and file systems. When you break a large topic into small chunks, it takes a lot of the overwhelming scariness out of it.

Karen E. Klein is a Los Angeles-based writer who covers entrepreneurship and small-business issues.

Edited by Rod Kurtz

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE