The Small Business Guide to Information Security in 2022

July, 27 2022

The Small Business Guide to Information Security in 2022

When businesses begin to scale, their data naturally scales with it. And a natural byproduct of large amounts of data is the fear that your business’s sensitive information will somehow get into the hands of someone malicious.

While no one’s going to steal your business data with destruction in mind (in fact, the motive behind most security breaches isn’t to damage your reputation, but to steal your money), what they may steal is your private information or financial data, such as your login credentials, physical address and credit card numbers, and so forth.

This, among many other reasons we’ll cover in this guide today, is why emphasizing Information Security in your business’s cybersecurity policies and security systems is vital to succeeding in today’s digital landscape.

But First: What is Information Security (InfoSec)?

Information Security, or InfoSec, is all the information systems and information technology that a business uses to protect their business data from unauthorized access.

Information, in this context, is intellectual property (IP), login credentials, personal identification information, and any other data that could be used to access personally incriminating/sensitive accounts or critical information.

How is Information Security Different From Cybersecurity?

To put it simply, information security isn’t different from cybersecurity; InfoSec is one of many components of cybersecurity.

Cybersecurity covers all digital data integrity threats, storage security, and device protection protocols. More holistically, it protects individuals and businesses from online threats.

InfoSec, on the other hand, covers specifically where both digital and analog information is vulnerable while being transferred and stored. InfoSec could be considered one pathway of protection in the forest of cybersecurity while also maintaining awareness of the physical security a brick and mortar business will have.

A woman sitting at a cafe counter with a latte and a laptop prominently showing a connected VPN on it.

What Kinds of Security Does InfoSec Cover?

InfoSec differs from cybersecurity because it covers the security of digital and analog data, but what does that mean exactly?

Realistically, organizations are surrounded by potential threats of security incidents — including but not limited to phone scams, email phishing, social media scammers, malware or viruses, hackers, and more. InfoSec covers all of this data, information, and more.

Application security

Application security is any basic security measure on a phone or computer app that prevents data or code from being stolen externally. Businesses can easily maintain application security using Virtual Private Networks (VPNs), built-in firewalls like Gmail’s automatic spam filter, and two-factor authentication (2FA).

Cloud security

The cloud offers many more benefits than downfalls, in our opinion, but one of its major disadvantages is the security risk it poses. Fully public cloud storage is inherently insecure, yet fully private cloud storage is still rather expensive — even with professional guidance.

There are hybrid cloud options, but ultimately, cloud security comes down to one basic principle: Zero Trust. Essentially, Zero Trust is a set of computer security techniques that automatically assumes no one is trusted into your network until proven otherwise with trusted service providers.


Cryptography is the act of encrypting messages or data so third-party vendors, including Google and your internet service providers, can’t “read” the messages. (Data isn’t “read” so much as crawled.)

Cryptography is “one of the most important tools) for building secure systems,” as it is active in continuously common security defenses like two-factor authentication.

Infrastructure security

Infrastructure security is the birds’ eye view of organizational security; it focuses on four different levels of infrastructure: physical (like buildings and generators), network (like cloud and firewall management), application (covered above), and data security (which focuses on storage more than anything else).

Infrastructure security is the ultimate target in an IT Disaster Recovery Plan, which covers all levels of your organization’s data and security, who “owns” the maintenance of that level of security threats, and what effective security policy is prioritized in an emergency.

Incident response

An incident response is the documented and agreed-upon process for maintaining security while in any kind of emergency, including natural disasters and cyberattacks. As part of information risk management, IT Disaster Recovery Plans are essentially a formal set of incident response plans based on the most-likely preconceived technology-related threats to your applications and data center.

Vulnerability management

While an incident response is extremely important for any company, preventing those incidents in the first place is arguably more important. Vulnerability management is the process of identifying, evaluating, and ultimately eliminating issues at any level of security in your business. At the core of any security-savvy company is a team of people dedicated to the protection of a system.

What are the 3 Principles of Information Security?

“The CIA Triad”, an acronym for confidentiality, integrity, and availability, is the current gold standard operating system for cybersecurity values and principles today. And just like the basic tenets of information security intersect with cybersecurity, so do its values.

The CIA Triad of cybersecurity, or confidentiality, integrity, and availability.


You might think that confidentiality simply means protecting disclosure of your IP behind NDAs or encrypting your data from others, but it’s a bit more personalized than that. Confidentiality, at least in InfoSec, refers to maintaining airtight boundaries on authorization to data.


And with your confidentiality covering your internal data, integrity turns your watchful eye to external sources of data tampering.

The two points your data is most likely to experience disruption are during uploads. Whether that’s uploading to transfer a file via email or to store a document in a digital folder, these endpoints are extremely vulnerable to hacking.


Even with airtight boundaries on data authorization, those authorized to access your data should be able to as quickly as possible. Obviously, the availability of data will vary person-to-person. Some members of your team will need broad access; your Chief Information Security Officer, for example, should be able to look at the appropriate security controls from a bird’s eye view.

The purpose of the confidentiality principle isn’t to inhibit movement within the company; it maintains a watchful eye on who has access to your software systems. And with flexible availability of information, all necessary parties get access to only the data they need — no more, no less.

Benefits of InfoSec

Focusing on InfoSec shows respect for both your users (your customers, employees, stakeholders, etc.) personal information and data privacy while maintaining a deeper understanding of how data is moving in and out of your company.

Simply put, InfoSec is another way to approach business analytics. And the more you know about your business activity, the better. More specifically, the benefits of implementing InfoSec include:

Improving operations

No matter what industry you’re in, you have a duty to maintain safe use of customer data whenever they interact with your business — either in-person or online.

Social media accounts and popular payment platforms do most of the heavy-lifting for small businesses, but once your company starts scaling to enterprise levels, you have more data — and therefore more responsibility — on your hands.

Managed Services Providers (MSPs) can help you and your IT team maintain this load, as data recovery and maintenance is an ongoing preventative set of practices in addition to the usual corrective security solutions.

Safer working options

When your operations innately focus on maintaining safe and secure data centers, different things start to open up for your company. Remote working challenges, as well as the development of a huge number of technological platforms over 2020, have skyrocketed concern for safer data management.

Alongside these trends, new policies like “Bring Your Own Device” (BYOD) have become popular among enterprises. These kinds of flexible options can have huge morale boosts, but they are also a primary threat for unauthorized individuals to access (not to mention physical theft, too!).

Safe working options with InfoSec implemented means developing training protocols and policies that specify which staff members or outside contractors have access to which data, why, and for how long. It also covers BYO policies, regulations of the places employees can access work data, and consequences of security incidents, should they occur.

The basics are easy to implement

Many aspects of InfoSec are easy to implement simply because they’re well-known best practices. Small decisions like password-protecting forms or installing malware protection on your devices can fall through the cracks, though, so outlining a broad topic incident response plan is essential for consistent InfoSec implementation.

Disadvantages of InfoSec

We could sit here and write a list a mile long of all the disadvantages of InfoSec, and it’d still be a necessity in your business; understanding the basic components of information security can mitigate the complexity on your end (or your employees’ ends), but the need is still there.

That said, when thinking about your technological development in general, thinking long-term is the most realistic strategy — for the disadvantages mentioned below.

InfoSec Strategies are Always Changing

There aren’t many creatures on earth faster than a hacker; it seems every moment a new technology is released, someone’s already found a way to hack into it. (This is why BMW faced a major hacking crisis.)

And because technology is constantly updating and patches are getting released, your InfoSec strategy must adapt just as much, too (or else you’ll end up with configuration drift). We’d go so far as to say flexibility and adaptation are critical capabilities of competitive companies today.

Implementing InfoSec Requires Resources

On top of constantly changing strategies, implementing these strategies will require continued maintenance and, therefore, resources.

There are plenty of options when it comes to taking care of your InfoSec, the choice ultimately comes down to what cost your budget can bear and how much help you actually need from professionals. (There’s a big difference between endpoint security on a single router and POS system within a café and maintaining air-tight data encryption across multiple locations.)

An overhead view of a small business counter, including a cup of hairbrushes, a tablet point-of-sale system, and a customer paying with her phone.

Why Do Businesses Struggle With InfoSec?

If businesses struggle with anything when it comes to software systems, it isn’t the tech itself. Businesses owners struggle with applying change management effectively, not understanding why they need to adopt new technologies.

Specifically, we find businesses in Alaska struggling with:

Securing remote devices

If one thing became abundantly clear to employers during 2020, it was that securing all devices for remote work was a time-intensive and complicated process. But what these same companies are also realizing is, despite that, remote work is still 10x cheaper than running an office.

How to ensure your remote devices are secure

Secure devices are really just secure people using their devices in smart ways.

There are software and services to help make this thoughtless, like firewall protection and a company-use VPN, for example, but you don’t need an IT certification to understand that even small mistakes are fireable offenses when it comes to maintaining the privacy of critical data. Adopting Zero Trust attitudes across the board like suspicious email activity reports and updating passwords regularly all require employee buy-in work.

Training employees in information security

While it may be obvious to you not to click that link in an email from a domain we don’t know, that doesn’t mean your 52-year-old administrative assistant Cindy knows. Or worse, it doesn’t mean that one of your C-suite executives doesn’t know.

Training for information security policy means sharing knowledge and skillsets, such as understanding how cyber security works and then teaching how to identify cyber threats.

How to train employees in InfoSec

When it comes down to it, InfoSec looks different for every business, just like every business’s organizational functions are different. The common ground with InfoSec, however, is that protecting your employees is protecting your business’s information, so broad coverage InfoSec training is in all growing businesses’ best interest.

“Broad coverage” in this case means all of the basics covered in this blog post, as well as a questions and comments element of the information security program to address your business’s specifics, such as who to reach out to when your employee notices a vulnerability.

Lack of information security talent

InfoSec as a whole didn’t really become a popular field until the 2010s. Traditionally, InfoSec has been synonymous with Cybersecurity — but the set of duties for an information security professional varies much less when compared to. the duties of an IT Administrator, for example.

It’s these kinds of misunderstandings lead to knowledge gaps between leadership and technical teams, meaning that when businesses don’t “get” InfoSec, talented InfoSec Analysts go unrecognized busting their butts to put out preventable fires.

How to hire for InfoSec

A great Information Security Analyst will know where the intersection of business and data meet. Beyond data analysts or business development analysts, InfoSec Analysts aren’t interested in using data to grow revenue. Rather, an Information Security Analysts’ main goal is to use data to continue protecting your company’s data.

A few points to look for in interviews are:

  • Strong technical knowledge of network systems and data analysis; make sure these are specific to your industry or unique tech stack.
  • Proven business leadership skills beyond just people management; great InfoSec Analysts know how to handle emergencies without launching broken patches.
  • They’re a Certified Information Systems Security Professional — look for an ISO/IEC 27001 or any ISC certificate.
  • Excellent communicative skills; this plays into business leadership skills, but is specific to convoluted technological fields.

Lack of leadership support

Without top-down support, all InfoSec goals might as well go down the drain. Onboarding InfoSec from scratch isn’t just a software update or process change; it’s a full-blown culture shift that will affect the order and procedures of every employee (not just the techy ones).

How to get leadership buy-in for InfoSec

If you’re a tech leader looking to convince your boss that improved tech is worth investing in, then we’ve got tough news: Your boss probably won’t be interested in InfoSec.

However, if your leadership has a history of adopting new ideas, then here are a few points you might want to bring up when discussing InfoSec:

  • Chances are you’ve already implemented InfoSec in some areas, like using a password manager, 2FA, or cloud storage software like Dropbox or OneDrive.
  • Adopting InfoSec is a perfect first step to becoming more intentional with cybersecurity and your internal data overall.
  • You don’t need expensive software or consultants to implement InfoSec, you just need to help your team understand the importance of your updated processes.

Data protection laws are complicated

Ever since the EU launched the 2016 General Data Protection Regulation (GDPR), data privacy has been on the general public’s mind. The comprehensive regulation of data privacy and protection spurred conversations about social media, data tracking, and even AI.

Data protection regulations in the US, however, are a bit less known by the public. A few common federal laws we all come into contact with are:

  • Payment Card Industry Data Security Standard (PCI DSS) — all businesses handling credit card data must abide by strict data management laws, which is why many small businesses opt to use POS systems like Square.
  • Health Insurance Portability and Accountability Act (HIPAA) — if you’ve ever wondered where doctor-patient confidentiality comes from, it’s regulating laws like HIPAA requiring anyone who manages your medical information (this includes insurance companies) to maintain high security.
  • Gramm Leach Bliley Act (GLBA) — also known as the Financial Services Modernization Act of 1999, the GLBA is the law requiring all consumer financial institutions to abide by information assurance, i.e. to disclose exactly where your information is being sent and why.
  • Federal Information Processing Standards (FIPS) — any federal contractors that deal with sensitive messaging must understand advanced encryption standards; this regulation outlines how to do so compliantly.

Top InfoSec Threats for Small Businesses in Alaska

Not all security controls are made equal. What you might be at risk for as a construction company in Alaska will look a lot different than what your café on the coast of Florida is at risk for. However, there are some threats we’re all at risk for.

Here are just a few:

Unsecure or Poorly Secured Systems

Emails are one of the most vulnerable software we use daily — second only to public WiFi, POS systems, and mobile devices used for business and work purposes (either separately or simultaneously). The theft of private information is everywhere, and the opportunity could strike at any moment.

Maintaining security for your organization’s customers means having a plan now. If you don’t, it might be time to contact your local IT service provider.

Social Media Attacks

These days, most of us are smart about who we trust in our social media messages. Unfortunately, however, there was still $770 million lost in 2021 alone to data loss attributed to social media scams. The most popular scams aren’t someone asking for your bank account details, though; it’s KeyLoggers, or malware that tracks and records all of your inputs and keys entered.

Social Engineering

Social engineering is a comprehensive approach to guessing passwords. Basically, hackers can buy or simply find your most sensitive personal data online and use that to brute force common passwords for online logins.

Malware on Endpoints

Endpoints are any device receiving data; they’re the “end” of the data highway. Endpoints are also at the heart of every modern cyber attack, because getting access to a single unsecured device is much easier than trying to hack into super-secure servers.

Lack of Encryption

Not everyone has access to quick security measures like digital signatures or cloud services, which is exactly why you should adopt it. Luckily, software you may already use like Microsft’s OneDrive already emphasize encryption and secure data storage to maintain your productivity.

Security Misconfiguration

If vulnerabilities are the gateway to all your data, then misconfigurations are any location you didn’t have a guard stationed.

These are the spots attackers will find — places like your passwords, firewall, and data storage. The only way to secure them is to find them first, which can be taken care of by trusted MSPs or your in-house IT team.

Seven people, all with laptops, sitting around a table having a meeting.

Putting This Information to Work

As we near the end of this Small Business Guide to Information Security, it’s time we turn the mirror on you to actually start applying this depth of knowledge shared today. Because, ultimately, all of this information is useless unless you put it to work.

This is where your information security policies, management system, and greater overall IT Disaster Recovery Plan come into play.

Don’t get us wrong: Creating an IT Disaster Recovery Plan is no simple feat. That’s why we outlined an entire step-by-step process to creating one here.

To keep things simple, let’s wrap things up with a quick plan of action.

Implementing InfoSec in 2022

Getting started with InfoSec in 2022 might feel like you’re lagging behind, but you may be surprised to find out you’re further along than you thought. Don’t discourage yourself until the risk assessments are done.

Here’s how we recommend any of our clients get started:

1. Understand your InfoSec problems

Remember: InfoSec will not solve all of your security problems. InfoSec is not cybersecurity and it certainly isn’t a replacement for human security in a live setting.

Some examples of InfoSec problems are:

  • Employees falling for email phishing
  • Clients inputting their data wrong (human error)
  • Not implementing Zero Trust when remote working

2. Create an action plan

With your vulnerabilities identified, you can begin taking action on them.

Getting your organization’s data all back under your control is of the utmost importance from here on out. A great starting place for any action plan is simply letting employees know what to expect, who to talk to about the plan, and when changes will be made.

3. Install your free tech stack

Plenty of InfoSec software these days are free to download and use on a personal basis. To test your new tech stack before suggesting them to your business, use the free, personal versions first. If you use them and know your team will use them too, add them to your new company tech stack.

4. Install your paid tech stack

Using your action plan as an outline, plan out some research time for all the paid software options available to tackle the rest of your InfoSec problems. (This may not cover employee training, but more on that next.)

Subject Matter Experts (SMEs) will be your best resource here, as every company is going to have testimonials, demos available, and sales reps ready to sell you the software. We suggest reaching out to forum sites like Stack Overflow or even Reddit to get a better idea of how other professionals truly feel about your options.

5. Implement alongside an SME

Whether you decide you need to hire an Information Security Analyst or not, implementing your new InfoSec policies and overarching philosophy is a convoluted, time-consuming process. For this reason, we recommend implementing InfoSec alongside a third-party SME, such as an MSP or IT consultant.

Having a third-party resource for your team to rely on not only relieves you and your IT leads of managing the change, it also means you don’t add anything additional to your workload moving forward. Implementing InfoSec is a continuous process, after all, not a “one and done” tech project. Don’t make it another job duty.

Information Security with Ampersand

By now, you know all the basics of information security.

With this guide alone, you could easily begin the process of developing your new InfoSec policies and make a case for their importance to your company’s leadership. You could start identifying potential risks in your industry, listing your company’s current vulnerabilities based on the data you can reach, and even start finding solutions to these problems.

Or you could make it easy by scheduling an expectation-free call with us.