Ten ways to protect your business data
Information Security Consultant David Reynolds provides a 10-step guide to protecting your business data.
Cyber security is as important as locking your front door or keeping your cash in a safe place, so why put it off? With more clients demanding that their suppliers are secure, Information Security (IS) practices are fast becoming a business necessity.
Thankfully, you don’t need to be an IT expert to improve your security. These 10 simple steps can make all the difference.
1. Understand the risks
Here are the basics:
Who could breach my business’ security?
- Your employees (past and present), criminals or competitors looking for a commercial advantage.
What is at risk?
- Your money, equipment, IT services and information, from client lists to prices.
How am I at risk?
- Through direct theft; remote attack; attacks to information held through third party systems e.g. your bank account; by accessing information via staff.
Why do I need to take this seriously?
There are four key risk factors for business:
- Legal/compliance – The risk arising from violation or non-compliance with legal or professional requirements.
- Financial – Poor IS management can spill over to risks related to overall financial stability.
- Reputation – Will clients give you their business when they read in the paper that your business was hacked?
- Productivity – Poor processing procedures and controls can result in operational loss and poor customer service.
2. Check that your business is compliant
Does your business need to comply with personal data protection legislation and Payment Card Industry compliance? In the UK, the Data Protection Act 1998 (DPA) requires that all businesses handling Personal Data have information security policies in place. The ICAS Cyber Security Framework (ISF) (login required) can help you to meet that obligation.
3. Identify your critical assets
Consider all the financial and information assets that are critical to your business and the IT services you rely on. Understand the risks to all of these by considering how they’re managed and stored, and who has access to them.
4. Focus on people
Make sure that everyone in your business understands their role in keeping your systems safe. Provide staff awareness training as needed, and assess the level of password protection required for staff, customers and third parties to access your systems.
5. Get help as needed
Decide whether you need to make an investment or appoint an accredited security specialist to get the right security controls in place. It’s also important to identify who you will turn to – and what you will do – in the event of an attack.
6. Put up your defences
Malware protection is vital, so install anti-virus solutions on all systems, keep software and web browsers up to date and consider restricting access to some websites to lessen your exposure to malware. Employ firewalls, proxies, access lists and other measures to protect your networks.
7. Make an inventory
Maintain an inventory of all IT equipment and software, and identify a secure standard configuration for all existing and future equipment. Change any default passwords.
8. Manage user privileges
Restrict staff and third party access to your IT equipment, systems and information to the minimum required. For home and mobile working, ensure that sensitive data is encrypted when stored or transmitted online, and restrict the use of removable media to avoid data becoming lost or stolen.
9. Keep a watchful eye
Monitor the use of all equipment and IT systems, collect activity logs, and ensure that you have the capability to identify any unauthorised or malicious activity.
10. Review, review, review
Now you have a system in place, it’s crucial to keep it up to date. That means testing, monitoring and improving your security controls on a regular basis, removing any equipment you no longer need, reviewing user access and responding to threats or attacks by addressing any gaps in your security.
David added: “In Q2 of 2015/16 alone, the UK Information Commissioners’ Office dealt with 559 data security incidents – a 43 per cent increase on the previous quarter. Cyber crime has happened to Microsoft, to TalkTalk and to Vodafone, so don’t think it won’t happen to you. Start the new year by protecting your business, and your clients.”
David Reynolds is an independent information security consultant.