How Organisations Can Avoid Data Breaches And Thus Meet Their Security Obligations
Stay on top of security developments by following these five pieces of advice
With cyber attacks becoming increasingly common in the present day, it is vital for companies to ensure that they keep their data safe from breaches. If a data breach occurs, your company’s financial information will be at risk, as will potentially sensitive customer information. As well as being bad for the image of your business (and losing you several customers), data breaches can make companies liable to pay fines. This is due to the fact that the Data Protection Act of 1998 legally requires companies and other organisations to keep people’s private information safe and secure, imposing penalties if this requirement is not fulfilled. Good security is thus not just convenient for you, it is also an obligation. Luckily, it is pretty easy to keep your IT infrastructure safe from attack – all that you need to do is to cover the five basic points listed below. If you do not feel comfortable covering all of the baselines below yourself, then hiring an IT professional to do so for you is a smart choice.
1. Keep your IT infrastructure in good health
Knowing and understanding your IT infrastructure is an essential first step for keeping it safe and sound. Get to know what types of software you are using and what new updates or patches are available. Install new security and safety features as soon as they become available. Ensure that you know where and how your infrastructure intersects with the law: what types of security are you legally obliged to provide? Make sure that you provide that level of security as a basic minimum. Under the Data Protection Act, if you take no action to attempt to prevent or to halt a data breach then you can become liable for even bigger fines. This was the case with Talk Talk last year when they were fined £400, 000 (a record amount) for a data breach that saw sensitive customer files leaked. Monitor your IT infrastructure at all times to make sure that you catch any attempted breaches as soon as possible, and, when a breach does occur, use it as an opportunity for learning: attempted breaches can teach you numerous things, including where your company’s perceived weak points are when it comes to IT infrastructure and also what hackers’ current methods are. If a data breach does occur and you have fulfilled all of your legal obligations under the Data Protection Act, then it is unlikely that you will have to pay a penalty.
2. Opt for automation to keep your security up to date
Monitoring IT security should be a 24/7 job as attacks can happen at any time. That is why it can be hard for human eyes alone to monitor every aspect of your IT infrastructure. So, why not put in place encryption policies, intrusion detection and prevention programs, regular automatic assessments (where the system checks itself for weak spots and security breaches and applies patches and updates where necessary) and backup programs that prevent files from being lost permanently if a hacker attempts to wipe your system’s memory. Another good policy to put in place is to stop new files from downloading automatically until they have been checked manually, as a key method of cyber attackers is to send you a malicious file to download as an email attachment. These automatic features will keep everything safe and secure whilst you get on with running or working for the company.
3. Educate all company members about IT security
Get everyone on board when it comes to monitoring the security of your IT infrastructure. Train employees to encrypt their information and to recognise attempted cyber attacks. Create a set of employee regulations which require employees to encrypt and password protect the data that they use and to apply software patches where necessary. Think about where your company’s hardware is, too, and where necessary prevent employees from taking hardware home. If it gets into the wrong hands, a single lost laptop can result in a huge data breach. One very good policy to implement here is data minimisation: this means only sharing data with the minimum number of top level employees. The fewer people who have access to data, the less likely it is that employees’ negligence will facilitate a data breach.
4. Have a detailed plan about what to do in the event of a data breach
Plans about how to respond to suspicious activity (which, of course, you will be monitoring as per step 1 above) should be built in to your day to day IT policies. Set up real time alerts which enable you to identify threats straight away and then have a plan that you can quickly put into action to protect sensitive information – for instance, shutting down some parts of the system or getting a resident IT professional right to work on creating barriers for hackers. Integrate prevention and response strategies into your day to day operations, for instance by informing employees about attempted data breaches so that they can change their passwords instantly. Be aware of your legal obligations when it comes to reporting attempted breaches: remember, if you take no action to repair or report a breach you can become liable for penalties. And, if an attempted breach does occur, make it part of your policy to analyse the breach to help you to be stronger against the next attack.
5. Be smart about who you hire
Hiring an IT professional (or a team of professionals) to keep your IT infrastructure safe is a very good idea. Think of this additional hire as an investment rather than a loss of money! After all, the average cost of a single data breach last year was over £100, 000 for a UK company. Do not just look close to home, either: tap in to the global talent pool to ensure that you hire the perfect person for the job. Many security professionals can work remotely for much of the time (though there are definite benefits to having an in house professional keeping an eye on your IT security) so you could even hire a team that involves someone in a different city or country if needs be. Find out who the best qualified security professionals are and offer them an attractive post to tempt them over to your company. As well as this, it is important to include some elements of IT security training for all of your staff – not just those people whose job it will be to protect your IT infrastructure. If any potential new employee comes to you and you see that they have experience or qualifications that relate to cyber security, then that should definitely figure as a huge positive for your company! Hiring a dedicated person, or group of people, to deal with your company’s cyber security, moreover, is very good for business. It shows the world that you care a lot about keeping all of your customers’ and also any business partners’ data safe and secure at all times.