Two, three, four. .  . counting the number of privacy and security risks as I stand at the reception area of most small businesses. I’ve been praised for pointing out the obvious, before they were obvious—not much of commendation when it’s expressed that starkly.

 

Hall of Fame Quarterback, Fran Tarkenton (He played for the Bears, right? No, the Vikings), now a legendary entrepreneur and business coach says, ”business people don’t know what they don’t know.“

 

His truism is particularly appropriate with respect to  business identity theft, privacy and information security. These are relatively new business concerns laden with misunderstandings, risks and liabilities. Corporations are just starting to get their arms around the problem, and most Main Street organizations are naive when comes to privacy and information security.

 

Business people have come to think of information security as synonymous with computer security and electronic data security. However, it is much broader and includes information on all types of media including paper.  Many small businesses still have significant paper security risks that go unchecked because they ARE NOT thinking about sensitive data on paper as “information.”

 

Although high-tech cyber-criminals target electronic information they can hack into, don’t overlook the low-tech crooks that are walking out the door with information in hand.

 

Computer vulnerabilities can be significant, as exemplified by a recent data leak audit of a medium size business. Over 10,000 potential leaks were identified in a two-week audit. Some are noteworthy because they are the obvious ones expected to be found in smaller organizations.

 

Many violations were the result of breaches in the company’s confidentiality, security and other policies. Many small businesses don’t have policies—a major deficiency and egregious regulatory violation, right off the bat. Others have policies that no one follows.

 

More than 700 data leaks were noted that involved sensitive information such as Social Security Numbers, intellectual property, financial information of employees, company confidential information and other sensitive information that is protected under regulations. These data were transmitted without regard to confidentially and without encryption meaning that they were vulnerable to unauthorized acquisition.

 

A starting point for addressing issues like these is by training employees frequently on privacy and information security. Another is to get buy-in from the top company officials so that technical solutions can be implemented and employees can be trained.

 

Management responsibility and employee education are two the most important first steps to privacy and information security best practices. Make the commitment to learn about these new business threats and then start educating employees on the solutions.