IT security – why bother?
The Data Protection Act says that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Breaches of data protection legislation could lead to your business incurring a fine, up to £500,000 in serious cases.
The reputation of your business could also be damaged if inadequate security contributes to high profile incidents of data loss or theft. However, there are measures that you can put in place to prevent security breaches or limit the damage if they do occur.
Assess the risks to your business
Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that data. You should consider all processes involved as you collect, store, use and dispose of personal data. Consider how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach. With a clear view of the risks you can begin to choose the security measures that are appropriate for your needs. The next step is to begin putting them in place.
Some organisations do not have adequate levels of protection because they are not correctly using the security they already have, and are not always able to spot when there is a problem. You need to make sure that all your employees are aware of their roles and responsibilities and that they are clear about when action needs to be taken. You should also consider what actions you should put into place should you suffer a data breach.
Take the time to review what personal data you currently have and the means of protection you have in place. Make sure you are compliant with any industry guidance or legal requirements. Document the controls you have in place and identify where you need to make improvements. Once any improvements are in place, continue to monitor the controls and make adjustments where necessary.
Consider the risks for each type of personal data you hold and how you would manage a data breach. This way you can reduce the impact if the worst was to happen.
You should also have an acceptable-use policy and training materials for staff so that they know their data protection responsibilities.
Get a security expert to review your systems.This will highlight where your security vulnerabilities are and how best to address them.
Don’t forget about backups of your data. Backups should be made regularly, kept secure and properly deleted when no longer required.
Take a layered approach to security
There is no single product that will provide a 100% guarantee of security for your business. The key to effective security is to have a layered approach, combining a number of different tools and techniques. if one layer were to fail then others are in place to catch the threat.
Employee awareness and training
Employees at all levels need to be aware of what their roles and responsibilities are. Train your staff to recognise threats such as phishing emails and other malware.
You need to be able to stop breaches happening before they penetrate deep into your network, for example by using a well configured firewall.
Restrict access to your system to users and sources you trust. Each user must have their own username and password. A brute force password attack is a common method of attack, perhaps even by casual users trying to access your Wi-Fi so you need to enforce strong passwords, limit the number of failed login attempts and enforce regular password changes. Passwords or other access should be cancelled immediately a staff member leaves the organisation or is absent for long periods.
Equipment containing personal data could be stolen in a break-in. You should ensure that personal data on your systems is protected against these threats. Your servers should be in a separate room with added protection. Back-up devices should not be left unattended and should be locked away when not in use.
You can prevent or limit the severity of data breaches by separating and limiting access between your network components. For example, your web server should be separate from your main file server. This means that if your website was compromised the attacker would not have direct access to your central data store.
A policy will enable you to make sure you address the risks in a consistent manner. Well written policies should integrate well with business processes.
Remove unused software and services from your devices. Older versions of some widespread software have well documented security vulnerabilities. If you don’t use it, then it is much easier to remove it than try to keep it up-to-date. Make sure you have changed any default passwords used by software or hardware, these are well known by attackers.
Always access internet banking by typing the bank's address into your web browser.
Never visit a website from an email link to enter personal details.
If in doubt:
Contact the bank seperately on an advertised number
Check your bank's website for safety tips
Check your bank statement thoroughly
Look for a locked padlock or unbroken key symbol in the bottom right of your browser window before accessing the bank site - the beginning of the bank's internet address will change from 'http' to 'https' when a secure connection is made
Don't leave your computer unattended when logged in to internet banking
Wipe your hard drive before you dispose of an old computer
Always have a disaster recovery plan in place and updated
Secure your IT on the move
You need to ensure that the same level of security is applied to personal data on devices being used away from the office. Many data breaches arise from the theft or loss of a device (eg. laptop, mobile phone or USB drive) but you should also consider the security surrounding data you might send by email or post. You can take steps to reduce the effects of the theft by ensuring that personal data is either not on the device in the first place or that it has been appropriately secured so that it cannot be accessed.
Encryption is a means of ensuring that data can only be accessed by authorised users. Typically, a password is required to ‘unlock’ the data. Full disk encryption means that the all data on the computer is encrypted. File encryption means that individual files can be encrypted.
Your encryption password should be a mix of upper and lowercase, numbers and special characters (i.e. #, &, !) and be kept a secret. Some software offers password protection to stop people making changes to the data but this may not stop a thief reading the data.
Make sure you know exactly what protection you are applying to your data. Some mobile devices support a remote disable or wipe facility. This allows you to send a signal to a lost or stolen device to locate it and, if necessary, securely delete all data. – Your devices will need to be pre-registered with a service like this.
Only transfer personal data to mobile devices if you actually need it and remove it when you have finished.
Computer equipment and software needs regular maintenance to keep it running smoothly and to fix any security vulnerabilities. Security software such as antivirus and anti-malware needs regular updates in order to continue to provide adequate protection.
Make sure any security software you have is switched-on and monitoring the files it should be.
Keep your software up-to-date by checking regularly for updates and applying them. Most software can be set to update automatically. If your system is a few years old, you should review the protection you have in place to make sure that it is still adequate.
You should also keep your knowledge of threats up-to-date by reading security bulletins or newsletters from organisations relevant to your business.
You should also let your staff know about possible threats to your organisation. This could include alerting employees to the risks involved in posting information relating to your business activities on social networks or ensuring they know how to recognise phishing emails.
Cyber criminals or malware can attack your systems and go unnoticed for a long time. Many people only find out they have been attacked when it is too late even though the warning signs were there.
Check your security software messages, access control logs and other reporting systems you have in place regularly. Make sure you can check what software or services are running on your network. Make sure you can identify if there is something there which should not be. Run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities – make sure you address any vulnerabilities identified.
The Data Protection Act says that personal data should be accurate, up to date and kept for no longer than is necessary. Over time you may have collected large amounts of personal data. Some of this data may be out-of-date and inaccurate or no longer useful.
Decide if you still need the data. If you do, is it stored in the right place? – If you have data you need to keep for archive purposes but don’t need to access regularly, move it to a more secure location. This will help prevent unauthorised access. If you have data you really no longer need, you should delete it. This should be in line with your data retention and disposal policies. You might need specialist software or assistance to do this securely.
Cyber Security for Small Businesses
This guidance explains the threat from cyber attack and shows how you can protect your business. It includes advice on:
- using strong passwords
- updating software
- providing simple staff awareness and training
- managing risk
- using the Cyber Essentials scheme to protect against common online threats
The advice will help you to protect your:
- business information
- cash flow