Most Irish businesses are now exposed to data breaches and other IT security issues. Here’s how to protect your data.
Imagine if your data was hacked. It would be a very serious issue for your business reputation. It’s vital that your business is up to speed if you want to stay protected.
IT threats
Knowledge is key to understanding what you’re facing potential IT threats, such as:
- Viruses: There is a vast array of malicious codes that can affect your business’s operations. Within the umbrella term ‘virus’ exists a number of potential issues, such as malware, spyware, worms and mobile code. These can be let loose on your database or hard drive by clicking onto certain websites, opening bogus email attachments, and even accessing corrupt files from USB sticks. These issues vary in severity, but possible scenarios range from being redirected to an undesirable website to having all the information on your hard drive stolen and deleted.
- Employee negligence: Your employees may need to keep sensitive business information secure as part of their job remit. But, as we all know, nobody is perfect, and your business could be compromised by employees mislaying USB sticks, emailing the wrong information to the wrong person, or even something as simple as leaving a business laptop or phone in a taxi or a pub after a night out.
- Employee maliciousness: This is not as common, but beware of the employee who feels he or she has been hard done by and wants to take revenge on you or your business. This can be done in a variety of ways, depending on how sophisticated their knowledge of IT systems and processes is.
- Third parties: As a business owner, you will doubtless come into contact with third parties looking to help optimise your IT security or data storage. Be sure that you choose a reputable provider who can provide support advice on IT security.
Protect your business
Fail to prepare, and prepare to fail. It’s an old saying, but one that rings particularly true in this instance. How should you go about protecting your business?
- Health check: First of all, conduct a full audit of your online and staff operations, and identify where you are most at risk. If you are using a third party to conduct this analysis, ensure that the cost does not exceed the projected annual damage.
- Ensure day-to-day safety: This can range from ensuring you have up-to-date, effective, anti-virus software to monitoring the websites your staff use, setting limits on where and when they can and cannot browse and following through on your health check. Of course, keep your anti-virus software and/or firewalls updated. This may be obvious, but it’s also important.
- Training: If you run a business where employees have access to sensitive information, extensive training is crucial. In this way, there will be fewer mistakes made, and no confusion about the standards you expect your employees to uphold.
- Minimum permissions: Consider giving employees IT clearance only for the areas of the business that concern them. There is little to gain when, say, a junior employee has access to all business files.
- Password authentication and encryption: Ensure all employees use complex passwords for their PCs, laptops and phones. Use the latest encryption techniques.
- Keep your hardware up to date: Remember that support for outdated servers runs out, exposing businesses to security threats. Make sure you’re kept up to date.
Data breaches
Despite your best efforts, a data breach is always a possibility, and you should know what to do in such a situation.
- Planning is critical. Know your response strategy for each potential data breach identified in your risk analysis.
- Identify key people, like IT professionals and a senior member of staff, and give them responsibility for investigating data breaches.
- Rehearse data breaches. This will save you invaluable time and money if and when the real thing strikes.
- Lock down your network. Your wifi is always in danger of being hacked, so eliminate it altogether. If you must use wifi, ensure you use the latest encryption standard.
- Notify the Data Protection Commissioner. This must be done, except in cases where the data subjects have already been informed, and the loss affects no more than 100 data subjects and the loss only involves non-sensitive, non-financial personal data.
3 Action Points