I primarily work with clients who have a legal or ethical requirements to protect their clients' data and privacy. While requirements vary by industry there is a lot of commonality. Certain industries like law, accounting, financial services and health care must implement policies to protect and secure client data, it is a good practice for all businesses no matter the industry.

Recently, I was asked to evaluate the state of data security for small law firm. In the process of performing the evaluation I developed seven questions which are useful for small business owners to ask about their own business's data security. These questions are tailored to small businesses from 1 to 50 users. Businesses which are primarily using cloud based services and assumes that the cloud based services meet a minimum level of data security and protection appropriate for those businesses.

  1. Is all firm work being done on a firm managed computer?
  2. Do all user workstations have backup software installed?
  3. Do all user workstations have firm managed anti-virus software?
  4. Are all work related e-mail communications being done through firm email accounts?
  5. Are all cloud-based accounts/services using two-factor authentication?
  6. Is all firm work product being saved on firm managed cloud storage?
  7. Are all user workstations running the latest appropriate operating system?

If you answer "Yes." to all these questions, then that is great. You have probably done 90% for the things you need to do to protect your business's and your client's data.

If you answer "No." to any of these questions, then there is a potential hole in your firm's data security. Is this a problem? Maybe. It depends upon the specifics of your business and your industry. For example, you may not use 2 factor authentication with every cloud service and if you do use it with the most critical services (e.g. email), then this might be good enough.

If you answer, "I don't know." to any of these questions, then I encourage you to find out.