Cyber Security For SME Business Owners – Part 3

What You really need to keep your business safe

The answer to effective cyber security for SMEs is to have an active IT Security Policy.   That means a working document that is regularly reviewed and its instructed actions regularly audited.  

An IT Security Policy can not simply be something you produce, put in a draw and forget about.  At the same time as long as it’s well designed, it doesn’t have to be an overbearing time and labor intensive obligation either.  The first step to achieve a helpful document is to understand what your IT security policy actually does.    

What should your IT Security Policy do?

If your IT Security Policy is to protect your business from the effects of cyber crime it will essentially need to aid your business in making sure that you do the following three things:

The 3 things your IT Policy needs to cover

  1. Don’t transmit or store “sensitive data” in an unsecure way
  2. Audits that happen regularly to make sure point 1 happens
  3. Ensure ongoing actions from your IT policy happen to make sure point 1 happens.

As a business owner how can you be sure of creating a policy that achieves the three core objectives above?  

By answering the following questions:

The 7 questions to answer before creating an IT security policy

  1. What personally identifiable information (PII) does you business store?
  2. What financial information (FI) (debit cards/bank details etc) does your business store?
  3. How is PII and FI distributed in your business?
  4. Is PII and FI stored on your systems or transmitted in plain text?*
  5. Do you need to store all the information you are holding
  6. How do you ensure you remain compliant to relevant bodies such as the ICO.
  7. How is sensitive data on your systems retained, backed up and deleted

*A quick note on point 4. What is meant by plain text?  It is as it sounds…  

If someone was to access your data would they be able to read the information like this:

Name: John Smith

Address: 1 The Road, Manchester

Card Number: 1111 1111 1111 1111

Security Code 123

 

Or would it be a long line of random characters that would be incomprehensible like this:

 

 

vjsdlvb\schj\sbcdhbsjkbkbcvqer78fblaebfce bbfcfegs78xctulaqouyxc704qpfxcrcowea4

3rcy443pcrfjser78c9nx9p8-yvgf9855yw4c89-x58teas88cynqw45ty898989898989w4

secr7yse4ctrepntisj5mvyusyt8w4nciopxm5u8eqw6xqwp3m48s9zfmse45fu9ve89ye8b

wr890ynrc4y89yrfnpc4jfy44444389tyc489wvtnw58ytn89n5vvvw48-yt9w45nvt89xn

 

If its former or you don’t know you should speak to your trusted IT advisor immediately.  

If you take payment via a 3rd party like Sagepay or Worldpay chances are they’re the ones holding the financial data and you’re likely to be safe in that regard, but is your responsibility to know how they are storing data and be sure that’s a safe method.

Finally to expand on point 5, this is something that is becoming increasingly evident with SME’s.  It is much easier now to collect and store large amounts of data.  Particularly for marketing purposes.  Whilst large amounts of data can be an asset it can also become a liability.  If you are storing sensitive information there is a risk it could be accessed by criminals.  The more information you hold the bigger the risk.  Fines issued by the ICO are in part based on the number of records compromised.  With that in mind ask yourself, do you need to store all the information you are currently storing?  If the answer is no why are you keeping it?

There’s been a lot to take in so far especially when you’re introduced into the context of a SME where the business owner is often wearing many hats.  So let’s sumarise the key steps that need to be taken / covered with a checklist to ensure you don’t miss anything out when creating your IT security policy.

A 12 point checklist when creating your IT security policy

  1. Remind yourself of “The 3 things your IT Policy needs to cover” (page 4)
  2. Do “The 7 questions to answer before creating an IT security policy” (page 4)
  3. Do you have / need Anti Virus
  4. Do you have / need Anti Malware
  5. Do you have / need Ransomware protection
  6. Have you implemented staff awareness training
  7. What is your backup and disaster recovery plan
  8. What is your policy for when staff leave the business
  9. Do you have a plan and schedule for software updates
  10. Do you use cloud based file sharing / storage
  11. What is your password policy including setup, audit and enforcement
  12. Remember Plan, Do, Review Schedule in audits and repeat tasks.

So there you have it.  Now that you know what to do we will recap next time on why it’s important to have something in place any why this is the way to go.  As always if you have any questions about this or any IT Support issues feel free to give our Wembley HQ a call or drop us an email.