An effective IT security strategy
According to an independent PWC survey* the number of security breaches in companies had increased and the scale and cost had nearly doubled in 2015. Any IT security incident could cost you your business data, reputation, customer confidence and intellectual property. This, coupled with fines and penalties, could spell the end for most small and medium sized businesses. PwC states in its 2015 Information Security Breaches Survey* that the cost of recovering from a cyber breach starts at £75k for small businesses, rising to possibly £311k depending on the breach. For many firms that’s enough to put them out of business!
Unfortunately, according to the PWC survey, not many organisations have increased spending on security and there are fewer expecting to spend in the future. Nearly 9 out of 10 now suffer some form of security breach – suggesting that these incidents are now a near certainty.
For most business owners the subject of IT security is one often ignored or left on the “to-do list” because of the complexity, jargon and most importantly, cost. Given the fear factor surrounding this, the marketing of the potential vulnerability of your business and intellectual property, it’s no wonder this is the fastest growing sector of the IT market. All too often suppliers will take advantage of the perceived risk as a basis to charge astronomical fees to implement and maintain a security solution for your business.
Let me walk you quickly through the way to approach this that has worked for us and for our clients over the last couple of years…
An accurate risk assessment of your data and security strategy will give the best possible starting point for understanding and implementing an effective security strategy. Request information about your hardware and software including network diagrams as well as network settings and current policies. An audit can be carried out by your IT supplier who will be able to document all of the relevant information and supply details on vulnerabilities, and impact of loss.
Once you have established your current position, deciding on how to protect your systems and data becomes much easier. A good IT supplier will give you a proposal based on your assessed needs in a clear and understandable fashion. Helping you to understand what is on offer (through detailed explanations and diagrams) is paramount and certainly not an unreasonable expectation, especially as you are answerable for any breaches and compliance. Your design should include data flows, controls, risk tolerance as well as logging. In our opinion, securing your company systems and data shouldn’t cost the earth. Really what’s needed in most cases is a structured approach to assessing and understanding your data, its value and your exposure.
Now that you have conducted a thorough risk assessment and received a detailed, understandable proposal based on your assessment, compliance needs and business requirements, you are in a position to move forward with your security implementation. Ensure that every area of your security planning, implementation and maintenance is documented thoroughly. Your documentation should go through regular, scheduled IT and business reviews as well as when any system changes deem it necessary.
Implementing an effective change control system will help your business keep tabs on adjustments to your systems and security along with an associated risk assessment for each change. It will also ensure your business has control over what changes are made and when they are made.
Ensure that your business seriously considers the hardware and software needs, as paying over-the-top prices for these (just because of brand association) is a sure-fire way to escalate unnecessary costs. You need these items to best meet your needs, perform their desired function (based on the above plan), and ensure stability.
Maintaining and reviewing your systems on a regular basis is probably one of the most important steps in this process, however it is probably the most overlooked! It is important that staff are educated and that staff awareness training is kept up-to-date so that breaches are kept to a minimum or even eradicated.
Following the above schedule will ensure that any security plan is bespoke to your business and requirements. This will guarantee that you only pay for exactly what your business needs and nothing more. It will also ensure you and your team have an understanding of your environment and security; which in itself is priceless when you are answerable for it.
Improve your online security by:
- Making your passwords stronger with three random words
- Installing security software on all devices
- Downloading the latest software updates