Our technological business world
There’s no escaping it. We live in a technology-based world that has infiltrated all aspects of our lives, including business. And with technology comes IT system security concerns, now more than ever. It’s not only large corporations that are mindful of their network security. The safety of IT systems is vital for all enterprises; the high street accountancy firm and the local chippy to boot. Irrespective of the size or type of operation, organisations possessing valuable digital assets should realise the consequences of any data breach and have an action plan to counter any network intrusion.
Data must be protected
Any business that collects, accesses and stores sensitive client, customer and employee data has an obligation to safeguard this information. With the impending General Data Protection Regulation (GDPR) in May 2018, data protection is fundamental for any business wishing to remain competitive and survive.
Reflect on this scenario: a couple regularly orders a Friday evening meal from their favourite pizza joint using the Just-Eat app. For ordering convenience, the restaurant stores their name, address, mobile number, home phone and credit card details. That’s a lot of personal information in the hands of a small to medium-size business (SMB). What would be the impact on the couple should the data be compromised? Worse still, what impact would the breach have on the SMB, especially in terms of business reputation and data protection liability?
Your business must be protected
As the owner of an SMB, you should offer your business the same protection that you would provide for your spouse, family or friend. To effectively protect your business and its reputation, you need to develop and implement a robust security plan. Your plan should encompass all aspects of your enterprise, from physical access to theft; most importantly, your IT infrastructure must be adequately protected against hacking, virus and malware, and other forms of cybercrime aimed at data breach. As your business changes and grows, you’ll need to modify your security plan accordingly.
Devising a security plan for your technology means defining and outlining acceptable uses of your network and business resources to counteract inappropriate access and use. When establishing your plan, you need to consider four key components: network security policy, communications policy, privacy policy and consequences of inappropriate use.
Network security
Your network security policy must clearly define the limitations of acceptable use. Your employees need to have a thorough knowledge and understanding of these limitations and network security policy must be unambiguously documented.
The policy must clearly state procedures for the use of passwords and other credentials. Passwords must be strong and frequently updated. You could get your IT guys to install password strength checking apps such as my1login so that employees select logins that remain unsusceptible to hacking. For obvious reasons, passwords must never be disclosed or shared.
Your SMB may have joined the leagues of Bring-Your-Own-Device (BYOD). If BYOD is commonplace in your office, you must ensure that all personal devices accessing the network are appropriately configured. Configuration of laptops, tablets and smartphones is easily achieved using a reliable Mobile Device Management (MDM) solution. MDM tools should also be applied to the installation and use of external software.
Communications
For both legal and security reasons, the use of company email and internet facilities must be stipulated and documented. All data transfers should be monitored and those using your client’s sensitive information should be restricted. Your IT department should specify the requirements for the sharing and transmission of data within and outside the network.
From the outset, ensure that your employees understand the specific guidelines pertaining to the personal use of the internet. A policy for use of social media and instant messaging must be in place and enforced. Your communications policy should also explicitly state if the company reserves the right to monitor all communication sent via the network or any information stored on company-owned devices.
Privacy and the GDPR
In accordance with the current UK Data Protection Act (DPA), you need to guarantee the privacy of company and client data. Restrictions should be set on the distribution of propriety company information, the copying of data and the length of time for which data is stored.
The GDPR promotes the practice of ‘privacy by design’, an approach that is cognisant of privacy and data protection compliance from the start of any process that is data reliant. Privacy by design is particularly applicable in the context of building new IT systems for storing or accessing personal data, embarking on a data-sharing initiative or using personal data for new purposes.
With the implementation of the GDPR just around the corner, it’s a wise move to ensure that your SMB is compliant with all the regulations for accessing, using and storing personal data. When your enterprise applies privacy by design, you are minimising privacy risks and building trust with stakeholders. Privacy by design is protective and preventative end-to-end data protection and shows that your SMB has privacy embedded into your IT architecture and business practices.
Privacy by design means that potential problems related to data protection are identified early on, your employees will have an increased awareness of data protection, and your SMB will be more likely to meet legal obligations and thereby avoid costly breaches of the GDPR.
Inappropriate use
Your well-structured and clearly defined IT security plan should comprehensively cover your network, communications and privacy. From this premise, you should assume that your employees are fully aware of their obligations in terms of data protection and privacy. The consequences of any attempt to distribute viruses, hack systems or engage in any other form of cybercriminal activity should be integral to your IT security plan.
Your employees should also be fully aware of your SMB policy on web browsing. You may wish to restrict or in some cases prohibit access to the certain websites via your network, even if individuals are using personal devices. For instance, downloading movies or music from peer-to-peer file sharing sites via a BitTorrent protocol is an unacceptable and exploitative use of company Internet resources.
Security needn’t be a headache
Don’t despair if you are concerned about the current state of your network security or your data protection compliance. Your local Managed Service Provider (MSP) has the knowledge, experience and expertise to assist you and your in-house IT in developing and implementing a robust IT security plan. The MSP will conduct an audit of your network, identify vulnerabilities and risk areas, and produce an action plan to remedy security weaknesses. Knowing that your SMB has a resilient and functional network safety policy, you and your team can focus on what really matters: long-term productivity and profitability.
