10 ways to protect your firm against data theft
A bill of £65,000-£115,000 and the stricken business being put out of action for up to ten days: that’s the average cost to a UK firm of a major security breach according to the government’s Information Security Breaches Survey.
The findings also suggest that small businesses don’t consider themselves an attractive target for thieves. In fact the opposite is true; hackers know that there are rich pickings to be had from smaller firms, and that compared to larger organisations, anti-theft measures are more likely to have been overlooked.
Good housekeeping, due diligence linked to tech purchasing decisions and making sure your employees are aware of their responsibilities: these should form the bedrock of your data theft prevention strategy. Breaking this down, here are ten areas to focus on.
1. Use encryption
Working on the assumption that business data theft is a real possibility, one effective way of combatting the problem is to ensure that the data is rendered unreadable and unusable in the event that it falls into the wrong hands.
You should look at encrypting all devices and areas where data is stored, including hard drives, the cloud, your network as well as mobile and portable devices such as smartphones and laptops.
2. Install a firewall
Think of a firewall as a shield against attacks from malicious software design to gain access, corrupt or delete your business data. The solution may consist of a dedicated piece of hardware that forms a barrier between your firm’s network users and external networks (i.e. the Internet) – and in fact, your routers may have firewall functions built in already. To augment this, software firewalls on individual computers and other devices should also be considered.
3. Get the experts in
Especially when it comes to encryption and firewalling (above), a slapdash DIY approach to preventing data theft can mean that the cure can result in almost as much damage as the disease. For instance, an incorrectly configured firewall could end up providing next to no additional protection, while hindering access, connectivity and ultimately, productivity.
For sole practitioners and small firms without in-house support, getting external help is crucial. Even if you have an all-purpose IT guy on site, don’t automatically assume that he’s an expert in networks security.
4. Controlling access: operate on a ‘need to know’ basis
Rather than granting blanket access to everything, work on the assumption that employees should have access to the information they require to perform their jobs.
It’s likely, for instance, that certainly your fee earners and a large proportion of your support staff will require access to all areas of your case management system. But is this the case for everyone? What about temporary assistants drafted in to work on very specific tasks?
Compartmentalising data by department and tiering it according to sensitivity enables you to keep better control over who has access to what.
5. Don’t ignore software updates
We’ve all logged on to our machines and been greeted by an update request, only to click the ‘Remind me later’ button. Whether it’s software, web browsers or operating systems, those seemingly insignificant updates are often designed to address new security vulnerabilities, so keeping up with patch cycles is crucial for safeguarding your data against online threats.
Where team members work remotely across a range of devices, policing this can be tough. This is one of the reasons why cloud-based software can be useful; updates are handled remotely and automatically by the providers, giving your IT team one less thing to worry about.
6. Make security a priority when considering software packages
You’ve sourced an all-singing, all-dancing accounts subscription package that costs a fraction of what you pay at present. Due diligence is a must before signing up.
In which jurisdiction will data be stored? Does the provider offer audited information security, compliant with ISO standards? Does the provider have a verifiable uptime rate? Can you get references from current users?
Going with an untested newcomer could mean that you find yourself on the sharp end of the software’s bedding in process.
7. Vet temporary staff
You know and trust your staff implicitly. But can the same be said of any contractors and third-party personnel who come on board from time to time? Perform thorough background checks on anyone who will have access to your system. Checking your access logs can also show whether individuals are trying to gain access to places they shouldn’t go.
8. Don’t let mobile be your weakest link
If employees are accessing and temporarily or permanently storing business data on their mobile or portable devices, the big risk comes in the form of unsafe apps with the potential to expose that data.
You may find that the most workable fix for this is to issue works mobiles to your staff and to stipulate what applications can and cannot be installed and used on those devices.
9. Don’t overlook the risk of physical data theft
Not all data thieves operate remotely. A safe shredding policy, lockable filing cabinets, keycode access to server rooms, physical blocks on USB ports where appropriate, on top of your standard premises security: none of this should be overlooked.
10. Make your staff data security-conscious
From taking individual password renewal seriously through to remembering not to send sensitive data across unsecured channels, make it clear that it’s in everyone’s best interests that business data stays safe. Back this up with clear written policies and mandated security practices.
Information security and cybercrime was once again highlighted as a priority risk in the SRA’s 2015/16 risk outlook. Against this backdrop, find out more about how Bluefin Professions offers practical help with risk management and finding the right cyber liability cover.