Data security is an important issue for any business, if only to protect your own information. But as soon as you start storing other people’s information – employees, customers, etc. – then it’s time to factor cyber threats into your business strategy. Hopefully, just knowing that a threat is there should be sufficient incentive to want to do something about it. After all, cyber attacks constitute a serious threat to profitability – a survey found the average cost of an attack is in six figures due to loss of customers and potential fines for non-compliance with data protection legislation. What’s more, the same research noted that many firms who are victims of some sort of cyber attack fold within six months.
Taking a look at what precautions others are implementing is always a good way to start developing your own plans. Ernst & Young, the global professional services and auditing firm, produce an annual global information security survey. The latest, “Under Cyber Attack”, outlines the increasingly decisive steps that leading organizations are taking to ward off threats to data security. Below are some key security recommendations to consider.
From the top.
First, there should be some sort of clear commitment from the top, i.e. you as the business owner and leader. Whatever anti-hacking or data protection measures you take, they greatly depend on your employees following through and if you’re not on board, why should they be. So, while you don’t need to harp on about it constantly, your team should be in no doubt that the boss takes this issue seriously.
Embed data protection in your strategy and working practises.
Know the risks.
When it comes to ways of working, the ideal is that being careful with people’s information is the norm. Your people need to know what the risks are (lost mobile devices, unprotected wi-fi connections, sharing passwords, opening phishing emails, etc.) and – just as important – what to do in the event their suspicions are aroused. Similarly, regular reviews are recommended: just because your sign-on protocols were sound last year, doesn’t mean that they can’t be improved 12 months later. Awareness of data security also needs to be shared by any outsourcing providers or freelancers you share data with or who use your systems. Check the level of their security practises when hiring/engaging.
Bear in mind your physical security arrangements.
Whether you have a store or office or are working from home or with a virtual team, how secure are the premises. Wherever data is stored (including data servers used by any cloud-based software providers) ask yourself, how secure is that location? If you have a server, is the room locked after hours? Is your hardware secured with, for example, rack-mounting or Kensington locks on the laptops? Does everybody know where their smartphone is at all times? If you allow people to use their own mobile devices on a BYOD basis, do you know who has what data downloaded and where?
Monitor the situation.
You may be able to produce or commission reports showing the frequency and type of attempted attacks on your system. What’s going on in the surrounding area – have other local businesses been hit?
Finally, continuous improvement is the key.
The real danger is not the opportunistic person who finds a smartphone that has been left in a coffee shop after a meeting (although they can do damage, of course) but the professional hacker or data thief, whose methods are always evolving and improving – your defenses need to evolve too.