Trust is hard to come by in the digital age and following a string of high-profile data breaches – for example, the recent unprecedented theft of 38m Adobe users’ records – every organisation’s security credentials are now firmly in the spotlight.
Regardless of the size and shape of your business, certain parts of your data footprint are likely to be of interest to a criminal. Understanding which assets represent the biggest potential threat is a crucial consideration that should form part of your company’s risk analysis.
This analysis can then be used to inform not just how or where the data is stored and who has access to it, but also the necessary internal and customer procedures in the event of a breach.
The consequences of a breach can be severe and far-reaching – losing intellectual property may give your competitor the upper-hand, while the loss of customer data erodes trust, leading to both reputational and financial damage.
Broadly speaking there are three types of data that should be covered by your policy, so a good first step is to take a step back and categorise your assets as follows:
- Data that comes into your business (e.g. work orders, customer information);
- Data your business creates and stores (e.g. intellectual property, financial records); and
- Data that is allowed or required to leave your business (e.g. reports to clients)
Once these are defined, you’ll need to perform a network audit to get a ‘big picture’ view of the equipment used on your network and the devices that connect to the Internet and/or phone lines.
At this stage it’s important to pay attention to departmental working practices – for example is the sales team logging in to the office network from the road to access customer records? Once you have a clear picture of where the sensitive data is and who has access to it, you can begin putting rules in place around its use.
A firm IT security policy or plan is vital for any business; don’t fall into the trap of thinking yours is too small to warrant it. In many cases it’s now a prerequisite for any companies seeking to do business with large corporates, while lucrative public sector contracts require robust security credentials as a matter of course.
Once established, every point on your policy then needs to have a control associated with it. For example if your policy states that all systems will be protected against malicious code that can steal, damage, or destroy information, your control might be to install approved antivirus software on all systems.
Having drawn up a set of policies and controls that suit your organisation, these need to be communicated to employees. Staff may need to be educated on specific controls and precautions, and doing so properly at the outset – and being firm with follow-through – reduces the risk of non-compliance later on.
While it might seem like common sense there’s no point in drawing up a policy if it isn’t enforced, which means rewarding those that adhere and punishing any non-compliers. Failure to do so will lead to general apathy among employees towards security compliance, which is a damaging mindset to allow in any business.
The goal should be the creation of a “security-aware workforce”: one where employees are empowered to report risky practices to management and staff training sessions make employees aware of such things as email safety, password usage, safe mobile use and the importance of data protection with an acceptable use policy for all staff.
Mark James is the technical director of ESET UK.
Share this story