Are you safe? Are you secure? This article gives you the questions you should be asking your IT department and suppliers.

Twelve Simple Questions

Just as war is too important to be left to the generals, the security of your company's data is too important to leave to your IT department. Your data is your business – it is your most important asset. The board needs to get involved.

Ask big, challenging questions. Expect detailed, believable answers in plain English.

Don't let specialists baffle you with technological jargon. If they can't talk to you in language you understand about business issues that matter to you, then you need a different supplier or IT manager.

1. Is IT security spending aligned with risks to the business?

It's not about how much you spend, but how wisely. You're looking for evidence that IT people are thinking about security from a business perspective. Do the things you're protecting match your perception of what could harm your business? Are they seeing evidence of actual threats rather than the latest hype or new technology? What's the right level of security? How often do you reassess your security plans as the business changes?

2. Who is responsible?

Who are the business stakeholders? How are IT security decisions made and by whom? For each IT solution, it should be clear who is responsible, who will go to jail if it breaches regulations and who will be affected.

3. Have we got the balance right?

100% security is impossible - just ask the MI5 officers who left their laptops in the back of taxis. You need to weigh up and balance data protection, audit requirements, operational risk, legal compliance, IT security and plain old get-the-job-done practicality. Swinging between negligence and Big Brother is worse than plotting the right balance between the two.

4. Are we too reliant on a single line of defence?

Are we relying on a single vendor or system to protect us? Some antivirus companies are quicker than others at detecting and protecting against new viruses. A multilayered approach is best. For example, you could have two different antivirus packages: one on your email server and one on individual PCs.

5. What would happen if my laptop were stolen?

If a criminal has physical access to a computer he can usually access the data on it. You want to hear an answer that proved that the data was inaccessible (for example, because it was encrypted or stored on a central server, not on the laptop itself). Tip: BIOS passwords, which stop casual attackers starting up a stolen computer, are insufficient protection on their own, so don't fall for that one. You also want to make sure that any data that is stored on your laptop is backed up automatically.

6. What are our acceptable use policies?

You might want to get the HR manager into the room at this point. Are your policies legal, realistic and enforceable? Do they cover the basics like use of email, instant messaging, web, company property, installing software etc.? How are they being communicated to staff? How do they compare with other companies in your sector?

7. How do we backup and archive our data?

Ask for a detailed explanation of how backups are done. Are there offsite copies? If so, where are they stored? Are the offsite copies encrypted to restrict access to the data? Pick one of your own files at random and ask them to restore a backed up copy of it for you. Ask them to produce a list of all the electronic correspondence you've had with a chosen customer in the last six months. What about data on laptops, portable devices, hosted services, email servers, company databases and files stored on people's PCs rather than on company servers? Ask how they would deal with a request under the Data Protection Act.

8. Are we happy with the way we authenticate users?

Many companies still rely on passwords as the only means of proving that users are who they say they are. However, passwords are often the weakest link. You can walk round many companies and see passwords taped to desk drawers, underneath keyboards or written on post-it notes on monitors. There are alternatives such as smartcards, key fobs that generate one-time passwords and biometrics. Are you happy with your choice?

9. How do we check the security credentials of vendors and IT partners?

It is a case of ‘buyer beware'. Ask them to prove that they have the skills and experience to set up your systems securely. Check references (and talk to the MD and FD not the IT people). If you bought £500,000 of factory equipment or property you'd do a lot of due diligence – it's the same with IT infrastructure.

10. Are we getting independent audits, benchmarks and advice?

Don't let your IT department mark their own exam papers. There are a range of consultants and specialists such as security specialists or risk management advisors. Even your accountants should be able to help. Get independent advice. Are you spending the right amount of money on IT security? What proportion of your total IT spending goes on security? What benchmarks do you have? How much is the right amount?

11. How good is our security plan?

Does it cover the obvious things: antivirus, antispyware, spam filtering, firewalls, updates, backups, laptop security and so on? Does it describe the different business risks facing the business and explain how they are being addressed? Are there procedures in place for disaster recovery and incident response? Are there tools, such as McAfee's Foundstone, that can help?

12. Is there anything we can do to reduce the insider risk?

External threats, like viruses and fires, loom large in people's imagination but the threat from insiders is often more dangerous; data theft, sabotage, accidental damage, inappropriate use and software piracy to name a few. Even if there is no malice involved, employees create security risks. For instance, how do you manage the risk of an employee using their own equipment at work or installing an unsecured wireless network? Ask what is being done to address these risks.

Top of page