Telling the truth about SME life today

How to secure your business’s data from the ground up

Share on facebook
Share on twitter
Share on linkedin
Share on email

Trust is hard to come by in the digital age and following a string of high-profile data breaches for example, the recent unprecedented theft of 38m Adobe users records every organisations security credentials are now firmly in the spotlight.

Regardless of the size and shape of your business, certain parts of your data footprint are likely to be of interest to a criminal. Understanding which assets represent the biggest potential threat is a crucial consideration that should form part of your companys risk analysis.

This analysis can then be used to inform not just how or where the data is stored and who has access to it, but also the necessary internal and customer procedures in the event of a breach.

The consequences of a breach can be severe and far-reaching losing intellectual property may give your competitor the upper-hand, while the loss of customer data erodes trust, leading to both reputational and financial damage.

Broadly speaking there are three types of data that should be covered by your policy, so a good first step is to take a step back and categorise your assets as follows:

  • Data that comes into your business (e.g. work orders, customer information);
  • Data your business creates and stores (e.g. intellectual property, financial records); and
  • Data that is allowed or required to leave your business (e.g. reports to clients)

Once these are defined, youll need to perform a network audit to get a big picture view of the equipment used on your network and the devices that connect to the Internet and/or phone lines.

At this stage it’s important to pay attention to departmental working practices for example is the sales team logging in to the office network from the road to access customer records Once you have a clear picture of where the sensitive data is and who has access to it, you can begin putting rules in place around its use.

A firm IT security policy or plan is vital for any business; dont fall into the trap of thinking yours is too small to warrant it. In many cases it’s now a prerequisite for any companies seeking to do business with large corporates, while lucrative public sector contracts require robust security credentials as a matter of course.

Once established, every point on your policy then needs to have a control associated with it. For example if your policy states that all systems will be protected against malicious code that can steal, damage, or destroy information, your control might be to install approved antivirus software on all systems.

Having drawn up a set of policies and controls that suit your organisation, these need to be communicated to employees. Staff may need to be educated on specific controls and precautions, and doing so properly at the outset and being firm with follow-through reduces the risk of non-compliance later on. 

While it might seem like common sense theres no point in drawing up a policy if it isnt enforced, which means rewarding those that adhere and punishing any non-compliers. Failure to do so will lead to general apathy among employees towards security compliance, which is a damaging mindset to allow in any business.

The goal should be the creation of a security-aware workforce : one where employees are empowered to report risky practices to management and staff training sessions make employees aware of such things as email safety, password usage, safe mobile use and the importance of data protection with an acceptable use policy for all staff.

Mark James is the technical director of ESET UK.

Image source



Share on facebook
Share on twitter
Share on linkedin
Share on email

Related Stories


If you enjoyed this article,
why not join our newsletter?

We promise only quality content, tailored to suit what our readers like to see!