When I ask business owners what they are doing to keep their business information secure, the vast majority say it is an IT issue and I should talk to their IT team or the company used to maintain their IT systems. But what about dealing with risks from your staff, lack of adequate physical security or keeping your business running if there is a power cut and the office cannot be used? My experience is that many SMEs don’t have an answer to this, or say it is still an IT issue.
Being secure means you have looked at the Confidentiality, Integrity and Availability of all your information. You can tick all the boxes for cyber security, but your business will not be secure if there can be unauthorised physical access or it cannot function if the office is not available.
Coming from an IT background, I know how IT teams work and the pressures they are under to keep everything running and secure. They know what to do so firewalls are locked down and networks, desktops, laptops and mobile devices are secure. But they struggle to cover everything or just look at it from an IT perspective when it comes to securing paper records (which still exist for many companies) and social media accounts, handling confidential waste, looking at physical security, testing business continuity plans, checking data protection compliance and training staff to spot social engineering attacks (where criminals try to trick you into handing over sensitive details such as passwords) .
Here is a high-level five-step guide to making sure your business information is secure
- Make a list of all the information you have; paper, electronic, websites, social media accounts etc.
- Work out the threats to each type of information. This should include unauthorised physical access to the office (even if you work from home), cyber attacks, losing devices on the train, reading sensitive information in public places where others can also see it, power or utility failure and staff leaking confidential information
- Work out the most appropriate way to deal with threats – your security measures. An obvious one is to have server backups; some companies may need more than one backup and to have them encrypted. Other measures include staff training, HR policies and employment contracts
- Decide who ‘owns’ each type of information and is accountable for keeping it secure. Get the owners to work with IT, HR etc. and make sure the correct security measures are in place
- Do regular quick checks to make sure a) the list of information is up-to-date, 2) all realistic threats have been considered and 3) security measures are being followed. An example for the last point is to check if you can restore recently added files from backups.
Security is much more an IT issue. Get in touch today for more details on securing your business information.
t: +44 (0)7941 188462