How serious is your company about data protection?
It seems like every other day we wake up to the news that yet another company has had a data breach exposing thousands or even millions of records containing highly sensitive personal and financial information.We’ve all heard the stories, but what have you done to try to ensure your company is safe from attack? Sensitive information Mike Wills of CSS said: “We live in a digital age where online sharing and use of sensitive information has become a daily necessity. “But we must remember it is our duty to ensure that this information stays safe and is only accessed by those authorised to do so. Failure to do so under the new GDPR regulations exposes you to the risk of a maximum penalty of €20 million or 4% of your annual turnover – plus massive loss of trust from your customers and damage to your business’s reputation. At risk “Make no mistake, SMEs (small and medium sized companies) are just as much at risk as the international giants. “But there are a series of steps any business should take to prevent data protection mistakes.” Be aware of where you’re going wrong Analyse your business and look for weak spots. You can only come up with a solution when you know what the problem is. Understand just how serious a data breach can be for your company and then take steps to protect it – always remembering it’s an on-going and developing threat which needs constant monitoring. Beware of taking the wrong approach Think things through. If you approach your data protection with a view to being compliant under GDPR using as little effort and resources as possible you are likely to leave loopholes in the system which make you vulnerable to a more serious attack. Train your staff Your staff are your biggest resource and your biggest weakness at the same time. They are the people who will be on the front line facing any cyber-attack, but they need to be armed with the right weapons to fight one off. Just one uneducated, unsafe click could let the evil genie out of the bottle and expose your whole network to risk. Institute a security training programme so you can be sure they are all aware of the dangers and possible repercussions. Back up your data regularly Ransomware is one of the fastest growing threats out there and can be disastrous if it catches you unprepared, locking you out of your own system and bringing your business to a grinding halt. But a savvy company backs up its data on a regular basis, considering storing it in a safe off-site location, and has a disaster management plan in place. Underfunding security is a dangerous gamble Data protection can be an expensive business and in today’s business climate where you need to look for economies across your business it’s an easy target for saving money. But what happens if a hacker breaks through and compromises your data? How expensive could that be? Data breaches can affect your business reputation, but they can also lead to lawsuits and loss of clients worried about the future safety of their data. Beware of the danger lurking within Don’t focus all of your attention on exterior threats. What would happen if you had a malicious insider prepared to steal and misuse valuable information in your care? Sensible firms set up things like at least a minimal background check, a smart access policy and user activity logging. Invest in up to date software Be flexible in updating software. Most companies like to use the programmes they are comfortable with, but using outdated software could leave you more vulnerable to a cyberattack. Don’t grant unchecked user privileges Many SMEs don’t use a system of user privileges which effectively grants everyone access to the most sensitive data if they know where to look for it. Assigning a set of privileges to a user restricts the scope of their access and blocks the route to anything they are not entitled to see. New users should be granted minimum privileges which should only be increased as and when necessary. Password protection is a must A sensible data protection strategy incorporates a robust password policy. Weak or default passwords should be avoided at all costs and single passwords should not be used by multiple staff members. Password management should require that each member of staff change their password on a regular basis to prevent it becoming compromised. Terminating staff should mean terminating their account too If a member of staff leaves the company, under either good or bad circumstances, you should have a policy in place where their account privileges and passwords are terminated with them. If a member of staff leaves on bad terms it would be all too easy for them to use their access for malicious purposes. Said Mike Wills: “Data protection is vital and companies should constantly monitor their strategy, bearing in mind that saving a few pennies now could lead to them losing many thousands of pounds later if the hackers strike.”