06 Dec 6 Important GDPR IT security checks for your SME business
If you believe that IT security is reserved for really big companies with umpteen plus employees and a dedicated IT team, you are sadly mistaken and your systems could likely be very exposed. Not to mention with the GDPR (General Data Protection Regulations) now less than 6 months away, it is more vital than ever putting in place your business IT security framework.
Sure, for some people it’s a matter of budget, for others it’s getting access to expertise, but for a lot of companies, it’s a simple matter of not knowing where to start. From the outset, the planning, sourcing, and implementation of your IT security can seem like a daunting task. But it can be done. Even the biggest mountains can be climbed one step at a time.
We break it down into bite sized chunks and put together the following list of 6 checks:
- Implement a strict password policy
Let’s get one thing straight right away. Having “12345678” or “password” as your password is not being secure, it’s being lazy. The same goes with keeping passwords on those super secure sticky notes which undoubtedly fall off laptops and monitors. Ensure that you and your entire staff protect their devices with a minimum of an 8-character alphanumeric password, which preferably contains small and large caps. Want something easy to remember? We have two words for you…song lyrics! If not, you can forcibly implement a password security policy through your server.
- Ensure a payment and transfer of funds procedure is in place Protect your hard earned money. Implement a standardised procedure to handle payments, requests and transfer of funds. Include an authorisation policy to personally or verbally confirm all irregular or unusual payment and transfer requests. Confirmation will use established and verified contact information. Do not rely on details provided in emails either, even if it looks to come from someone in your company. The rule of thumb is if it looks dodgy then it probably is. Don’t just sit there if it doesn’t feel right, flat it up!
- Evaluate emails and check who they appear to be from Think you have an email from the bank or your CFO? Does something smell fishy? Better check. Be mindful of the tone, language, structure and writing style of the email. Double-qualify the email signature and images used. Look at the email address, does it look odd? Are you being asked to click on a link that doesn’t seem right? Yet again, this is something that can easily be solved with a quick phone call or a verbal confirmation from the sender as well as to stop, look and evaluate the situation. Losing a couple of minutes to double check is better than losing your money to scammers. Remember to educate and train all of your staff especially when you hire new ones.
- Use an Enterprise-level Spam, Anti-Virus and Web Filtering SolutionReduce the risk of unsafe emails and viruses ever reaching your work computers. Create layers of overlapping security especially when it comes to incoming data like emails and downloading through web browers. Prevent phishing attempts and intrusions by implementing solutions that will filter out viruses, spam and threats from unusual or untrustworthy domains and addresses. It’s also highly recommended to ensure you have a physical firewall device in place for your network and internet access as this will also protect you from external hack attacks.
- Schedule regular checks to ensure your patches are up to date Anti-virus providers can’t keep on top of all threats, but they will give you a fighting chance. So make sure to set aside time, at least once a weak, to run these updates. That includes operating system patches (especially security updates), third party application updates and anti-virus definitions. The harsh reality is that there are 3.5 new viruses, trojans, worms and exploits created every second (that’s 310,000 every day), so make sure you have the latest patches on workstations and servers so that you can be protected from the ones that have been identified.
- Have a backup solution in place If all else fails, you MUST have this to fall back on to get your data back quickly and efficiently. Call it the “Alamo” protocol or something equally definitive if you must, but it must be created. Backup, Backup, BACKUP! It is the only secure and sure fire way to recover your data should you experience a virus attack, to include ransomware threats. Why would you not implement a safety net? What if your system has been compromised or your power shuts off and corrupts your business data? How can you, your employees and your clients continue to conduct business? The financial loss of not doing this is extraordinary. Ensure that you already have disaster recovery redundancies in place so that you can recover at a very minimum 24 hours worth of data and system states. Ideally implementing high availability will also speed up your restoration and recovery process.
- Implement a strict password policy
Every company is at risk of data and security issues and the requisite prevention and protection solutions should be setup to ensure that your intellectual property data remains in-house and not used out-of-house.The following two tabs change content below.David has held positions as Operations Director and Head of IT in legal and professional firms for more than 10 years. He is a Director and co-owner of Amazing Support, a Microsoft Silver accredited and specialist Managed IT Support and IT Services company. David actively helps SME businesses receive better Managed IT Support and IT Services in the London and Hertfordshire areas. He also assists overseas companies who are looking to expand their business operations into the UK and helps with their inward investment IT process. A member of The Chartered Institute for IT (BCS), UK Council for Child Internet Safety (UKCCIS) and an event speaker promoting business start-ups and technology awareness. Married with a son, you will often see him riding his bicycle around the Hertfordshire towns! David participates in charity bike rides and is a keen Krav Maga practioner.