Small businesses are both extremely vulnerable to and unaware of the consequences of poor information protection. Business failure, fines and loss of reputation are just some the potential outcomes, so even the smallest firm should consider taking preventative action.
This article by Richard Henson, Senior Lecturer in Computing at the University of Worcester and joint founder of IASME information assurance management standard highlights what you can do to reduce the risks.
According to research published by PWC 70% of small firms that experience a major data loss go out of business within a year. At the same time the penalties for putting personal data at risk have risen dramatically: the Information Commissioner has the power to impose fines of up to £500,000 for Data Protection breaches.
Unfortunately many small companies either do not realise how big a risk they are running by not managing their information in a secure way or think that only bigger companies can actually do something about the problem.
This article highlights practical ways to improve your information security and a pathway to a more structured approach to the issue.
How do I start?
Take stock – think about (and then write down) what information you really need to carry on your business. Include anything that you are legally obliged to look after.
Now think about how you look after the information. To do this, first think about the things that might cause harm to the information. Statistically, the more places the information is kept, the more likely it is to come to harm. Similarly, the more people who have access to it, the more likely it will be lost or damaged, deliberately or accidentally, or indeed stolen. So write down;
- Where you keep it
- Who can access it
Easy, isn’t it? You have just started a risk assessment and perhaps a new understanding of how important your information is to your business survival. Of course, there’s quite a bit more to it than that, but we can skip ahead to how you protect your information – your risk management.
Think about where you keep it – these days it’s less likely that you keep it in a box under the bed, much more likely that it’s in a computer. It might be both, of course, and the same principles of protection apply to either. A well built and properly maintained computer (or box) is well on the way to reducing your risk but you need to be sure, particularly if you have no direct control over the computer, in the case of a cloud provider. Similarly, if the information is on a mobile computer, such as a laptop or smartphone, it can more easily be lost or stolen.
Think about who can access the information – do they all really need access?
Seven Steps to Information Management
Managing your information securely is cheap and easy, and will repay the investment many times over. These seven steps will help to reduce the risk to your business.
- Make someone responsible for managing your information if you haven’t already, and ensure you have backing from the top of your organisation. Get some security advice if you need to.
- Write down briefly what your intentions are in managing your information and tell everyone in your organisation and anyone else who might access your information. Remind them regularly.
- Find out where your key information is and who needs access to it and then control authorised access using at a minimum unique logon identities and secret, strong passwords. Ensure you comply with the DPA and other legislation.
- Control unauthorised access by encrypting your most important information storage and removable devices such as laptops, smartphones and usb sticks.Strong encryption software can be obtained free and is easy to use. Many modern smartphones have encryption built in or can use security applications.
- Protect yourself from the internet by using a firewall and up to date anti-malware software at a minimum.Remind your staff of the dangers of phishing, rogue websites, clicking on links in emails from suspicious senders and other threats, getting specialist advice if necessary.
Consider banning the use of business equipment (computers, laptops, smartphones etc.) for private use and private equipment for business use, as this is the most likely way that threats from the internet will affect your business.
- Protect yourself from data loss. Backup your information at least daily and use good physical security to prevent computers being stolen. Have a plan detailing what to do if you have a disaster which prevents the business from operating. If you do have an incident, learn from it.
- Consider benchmarking your information management by certification to ISO/IEC 27001 or IASME, which is designed for SMEs. This will demonstrate to partners and clients that you have reached and maintain a good level of information security, making you more attractive to do business with.
The IASME Consortium (www.iasme.co.uk) offers a simple information management standard which includes the ICO requirements. It is based on cyber-security best practice and is designed with SMEs in mind. Conformance to the standard is independently audited and certified, so that successful certification provides assurance to customers, clients and regulatory bodies that the business is following best practice in information cyber-security.
For more information on certification to the ISO27001 and IASME standards and to understand more about the steps you can take in your own business to protect information please contact Martin King-Turner on 02476 620158 or email firstname.lastname@example.org for a no-obligation confidential discussion.