Our modern ways of working pose a considerable threat to the data security of our business, but many employers are sticking their heads in the sand. John Dryden, chief technology officer at IT Lab, looks at some of the ways that companies can protect themselves
It wasn’t long ago that companies kept all their sensitive information on local servers at their office. Likewise, the computers used to access this data were also static, and located on-site.
Yes, the company’s network could be attacked by hackers via email or the internet, but the simple fact that both the key data and the means of accessing it were physically on-site meant that keeping them secure was relatively straightforward and easy to manage.
Today, with the rapid acceleration in internet and mobile technology, the devices that can access this sensitive information have become far more diverse and portable. What began with laptops provided and controlled by the organisation has evolved as staff have acquired ever more powerful portable technology of their own. Employees can now use their personal smartphones and tablets to connect to their company’s key systems from anywhere with an internet connection.
But as information becomes more easily accessible from outside the firm’s four walls, the risk of it falling into the wrong hands has also increased. Portable devices are also losable devices!
The remote access that they enable represents a fundamental and positive shift in the way staff work, but it also represents an increased security threat. Portable devices can pose a double security risk, either through being hacked via an insecure network or, at a more basic level by being lost or stolen. Both scenarios can expose the company to cybercrime.
Unfortunately, far too many businesses still have inadequate systems in place to prevent their sensitive information falling into the wrong hands.These lax controls can make them an easy target for hackers.
So what can a company do to protect its sensitive data? In our experience, the primary IT risk for a typical business isn’t the technology itself (although this can clearly be vulnerable), but the behaviour of the people using it.
What’s more important than ever these days is that staff are made aware of their responsibilities, and are educated about technology use. Good training really is key. There should be no excuse for people to claim ignorance about technology use.
As information becomes more easily accessible from outside the firm’s four walls, the risk of it falling into the wrong hands has increased
Every employer should have an IT Security Policy, which is continually reviewed and amended – and which has disciplinary consequences for those who fail to abide by it.
The rules need to be understood – from day one – by everyone who is granted access to systems. Giving someone an IT induction six months after they join (if at all) simply won’t do anymore. And the person given overall responsibility for IT Security should report directly to the board. Their input should both be fed into the company strategy, and built into its business procedures.
Here are some basic security rules that every business should follow:
1) Never share passwords, even with close colleagues.
2) Change passwords often, maybe even once a month.
3) When staff leave, disable their accounts immediately.
4) Put security on all portable devices.
5) Never pass sensitive information across public systems unless that information is encrypted.
6) Be very wary of using public Wi-Fi when connecting to sensitive systems.
7) Make sure that all your technology and devices have the latest malware protection.
8) Employ independent third parties to regularly test your security measures.
Protection and prosecution
It’s worth noting that the Data Protection Act places clear responsibilities on organisations that hold information on individuals. Your cherished database of client names and contact details is likely to fall under the provisions of the Act – especially if you take payments through bank or credit cards.
As your sensitive information becomes more widely accessible, the risk of breaching these regulations increases. You could even be prosecuted if you do not take adequate steps to protect it.
While the risk of prosecution usually concentrates a business owner’s mind, the need to protect their company from cybercrime, or the loss of sensitive or valuable data, is no less imperative.
By following some basic security measures the chances of your company being hacked or exposed in some way will be greatly reduced. Implementing a rigorous IT security regime need not cost much – the single most important thing is to get your staff to follow best practice.
But as both deterrent and insurance policy, any outlay on good IT security is likely to be more than made up for by the losses it will prevent.