Data Security Fundamentals

Data Security is a Hot Topic!

With continuously emerging cyber threats and stronger legislation protecting personal data, data security is more important than ever!

Whilst a lot of major targeted attacks are on large organisations, 58% of malware attack victims are SMBs. This is because small businesses are more likely to have vulnerabilities in their IT systems due to having improper (or no) IT systems management in place.

A lot of outsourced IT support providers fail to take a proactive approach with their small business clients, only focusing on their larger clients.This leads to businesses using out of date or obsolete systems which are not protected against the latest threats.

We have put together ten key steps that every internal/external IT team should be taking for businesses of all sizes and sectors.

1.  Information Asset Register

Put together an information asset register, detailing all data that your organisation processes. This is essential for the GDPR (General Data Protection Regulation) and will also help you asses the security of your data. This document should include:

  • Where your information is stored
  • Where your information came from
  • Your legal grounds for processing it
  • Your processing activities
  • Who has access to your data
  • How long your data will be retained for

2.  Implement Controls

Implement controls to protect your data. Some of the key controls you should have in place:

  • A dedicated hardware firewall with active security subscriptions
  • Business grade anti-virus
  • Complex passwords, which routinely expire
  • Email security to scan inbound emails for malware and phishing attacks
  • Encryption of all company data
  • Isolated guest WiFi (if WiFi is provided to guests)
  • Mobile device management
  • Two factor authentication for cloud services where possible (e.g. Office 365, Dropbox, Xero)

3.  IT Security Audit

Carry out annual IT security audits, to assess controls that you have in place and document controls that the business ought to have in place. Use red/amber/green coding to represent the level of risk currently faced by the business in each area. Consider the ‘C.I.A’ triangle when carrying out your assessment. Controls should preserve information Confidentiality, Integrity and Availability. Your assessment should cover the following as a minimum:

  • Server Security
  • Device Security (including mobile devices)
  • Email Security
  • Data Security (including cloud systems)
  • Network Security
  • System Redundancy

4.  Access Control

  • Ensure staff have only the minimum required level of access to data
  • Implement an access control policy
  • Keep an audit trail of access changes
  • Use documentation, such as new employee checklist and leavers checklists to ensure access is correctly implemented and revoked when employees start at or leave your organisation

5.  Backup

  • Ensure your data is regularly backed up securely off site
  • All data should be encrypted both at rest and when in transit

6.  System Maintenance

It is crucial to keep your systems up to date to ensure you are protected against the latest vulnerabilities.

  • Windows updates should be rolled out on a weekly basis
  • Software updates
  • Firmware updates on network devices

7.  Documentation

This is an area that far too many IT teams/companies do not take seriously enough.

  • Ensure your IT systems are fully documented
  • Document system administration procedures
  • Implement secure configuration standards/checklists for computers, servers and network devices

8.  Governance and Compliance

  • Implement policies and procedures to govern your employees on data security
  • Provide evidence that your employees are reading and understanding your policies
  • Ensure your data processing activities are compliant with local data protection law, such as the GDPR. Failure to comply with the GDPR can result in fines of up to 4% of your global revenue or 20 million euros (whichever is higher)

9.  Monitoring

  • Monitor your systems to detect faults, outages and changes
  • Review security logs on firewalls and servers
  • Monitor anti-virus endpoints to review viruses or issues with endpoints updating

10.  Training and Employee Awareness

  • Train your employees on the most appropriate way to use your IT systems
  • Ensure your employees are aware of commo