Keeping your company safe from IT security threats can feel daunting, but turning a blind eye can be much more damaging to your business in the long run. That’s why we’ve compiled a checklist with all the basic steps you’ll need to follow to stay as safe as possible.
Educate your employees
You should never lose sight of the fact that your employees are your biggest IT security threat. That’s not to say that your staff are intent on bringing your company down by hacking into your systems, but as Jackie Wake of GFI Software says, ‘users don’t always understand technology – and can’t be expected to keep up with the latest cyber threats’, adding that ‘it’s vital to work with employees to ensure they know what the IT security risks are’. Jenny Radcliffe, who trains business owners to protect their companies, highlights that this must begin at the moment an employee starts their job: ‘training when an employee joins a company is very important and it’s something many small businesses don’t do properly’.
Manage risk effectively
Risk management is an everyday reality of running any business. But many SMEs, while well-versed in identifying and preventing financial and health and safety risks, neglect to address IT security as part of this process – despite the fact that a cyber security breach can easily be just as problematic. Make sure that you carry out a risk assessment with your IT security staff to identify potential threats, minimise the chances of them occurring, and manage the damage should the worst happen, and producing a risk assessment document that you update regularly.
Implement intrusion detection and prevention
An intrusion detection and prevention system (IDPS) is a similar concept to a firewall, except that as well as looking for dangers from outside your network, it looks for internal attacks too, by identifying suspect activity and threats within the system. As the name suggests, this technology is designed to both identify intrusions and, once a threat is identified, stop them from succeeding. Anti-virus software is one example of an intrusion detection system. Talk with your IT professionals to identify what systems you require to keep your company safe.
Minimise internal threats with data loss prevention
Generally speaking, your employees are trustworthy and mean you no harm, but you should be aware that there are people out there who are willing to breach their employers’ security for their own gain. While around half of internal data breaches in companies are caused by such people, accidental data loss as a result of the activities of honest staff is a genuine risk too. Either way, putting in place a data loss prevention methodology to monitor and log employee activity, investigate suspicious goings-on and take preventative action when needed, along with a secure backup and recovery process, will help you avoid losing or leaking valuable or sensitive company information.
Carry out penetration testing
Penetration testing, simply put, is the process of testing your IT systems and networks to find vulnerabilities that an attacker could exploit, in order to better protect yourself from cyber security threats. As well as identifying areas of weakness, a penetration test report will also suggest ways to reduce the risk. You should carry out penetration testing regularly to ensure that your IT systems remain secure.
Understand the value of your digital assets
You may not think of IT as an area where asset management would apply, but it’s surprising how many companies don’t understand what the data, software and intellectual property they own is worth. Someone else might see value where you fail to recognise it though, so being able to analyse the value of these assets and put the necessary measures in place to protect them is important to your IT security, and the success of your business.
Be vigilant, not complacent
You should know by now that training your employees, and keeping an eye on them, are among the most important aspects of your cyber security activities. Your staff may be failing to password protect their devices, using insecure passwords, clicking on dangerous links in scam emails or even giving sensitive information away on social media. Despite being advised not to, people often use birthdays of family members and phone numbers in their passwords, and modern hackers are savvy enough to get hold of this information and use it to their advantage. According to Jackie Wake, ‘a phishing email that’s obvious to an IT admin may prove completely believable to a non-techie. One click and a virus can infect an unprotected network.’ Jamie Randall of The Friendly Nerd Ltd gives the following advice to avoid this risk: ‘The best tip I can give to staff is always look out for the urgent and the unexpected. If an email, a social media post or a phone call ticks either of these boxes then it could be suspicious.’ Don’t assume that your employees know how to stay safe, or that if they do that they’re making the effort to be secure.