Until recently, securing a company’s data and information was a job for the IT specialists who inhabit the server rooms of Fortune 500 companies. But recent changes in federal and state laws, along with more attorneys willing to file lawsuits when companies are seen as careless with customer information, makes security a C-level concern. All companies, regardless of size, can suffer the consequences of insufficient security practices.

But what can a CEO or CFO do, other than to trust their IT managers or vendors? A lot. Here are 5 simple things for CEO and CFOs of any size company to consider and act upon:

1. Ask Questions. Ask your IT director or vendor how secure your information is. Good questions to ask include: Who can read my email? Can an IT employee access sensitive emails from the CFO, CEO or other executives without their knowledge? Who has access to the servers? Can an employee view sensitive HR or medical files without leaving an audit trail?
2. Get Compliant. Does your industry or line of business require or recommend set standards for handling information? HIPAA (for the medical field), Sarbanes-Oxley (for public companies) and PCI (for any company that accepts and processes credit cards) are just a few of the regulations that companies need to be aware of. The truth is, however, that many of these compliance standards, even when not mandated, are good practices to follow. Find out how your company would stand up to a compliance audit by conducting an in-house audit, or hiring a consultant.
3. Ask “What If…”. Ask your IT director what would happen if a corporate laptop were lost while an employee was traveling. What data would be compromised, and how easy would it be for the thief to read and sell sensitive corporate information?
4. Think About Information Flowing Out of Your Company. Everyday, your employees send out hundreds — if not thousands — of emails. Low cost thumb drives also make it possible to copy large amounts of data onto a disk the size of a key chain. Laptops often travel outside your company and are regularly unattended. Ask your security vendor, your IT vendor, or your IT staff what steps your company takes to ensure that sensitive information — marketing plans, customer data, credit card numbers or financial data — is not being accessed, copied or distributed inappropriately.
5. Make Security a Regular Conversation at the Executive Level. Many executives, especially in smaller companies, would rather not talk about security. But if customer data are compromised, many states are now requiring that the companies own up to the compromise and inform its customers and the public. Talk about your security policies before they become a problem.

Having good security policies is an executive-level concern and is one that with proper thought and management need not be an expense that only larger companies can afford.

About the Author

Philip de Souza is CEO of Aurora, a leading security compliance and data encryption company based in Southern California. For almost 20 years, Aurora has been providing small and mid-sized clients with the consulting and implementation services they need to secure their corporate information. de Souza is also active in the local business community, serving as a past president of the Torrance Chamber of Commerce, and is the moderator of the CEO Summit, a regular gathering of California-based CEOs.