1. Why is it important?
SMEs need to make security a priority. Research that shows that SMEs are now experiencing incident levels previously only seen in larger organisations – 87% of SMEs experienced a security breach in 2013.
Attacks can arise from a variety of sources, including human error, a deliberate attack by an outsider or a malicious attack by a disgruntled member of staff. It’s a myth that security is only the responsibility of the IT department – they may well set out the security issues, but everyone has a role to play in implementing these simple measures.
2. Educate all employees
Encourage all employees to “think” security. Create email, internet and social media policies that outline what is permissible; implement a password policy that demands strong passwords that are at least eight alpha numeric upper and lower case digits and are changed regularly; encourage staff to think before they click, understand how to identify phishing and spam emails and know how to handle them; and implement a policy on the use of removable devices, as well as the copying and transferring of information.
3. Manage equipment to reduce risk
Ensure there is an adequate security policy in place. ISO 27001 is a good model. It is essential to deploy firewalls between your network/PC and an unsafe network and within your network. A firewall protects a computer network from unauthorised access. A firewall can be hardware devices, software programs, or a combination of the two. Also subject your network to a penetration test – this is where a security specialist tester will attack a computer system or network with the intention of finding security weaknesses.
Other things your firm can do include: deploying a proxy server between internal and external network resources; securing wireless routers; protect mobile devices with a PIN or biometrics; and ensure that mobiles and laptops are encrypted.
4. Be prepared
Make sure you audit all the security policies, processes and technology in use within your organisation and share the results so that employees are aware of the outcomes
5. Data protection
Know your data responsibilities and ensure employees understand their role. That means understanding clearly what data is used in your organisation, where it is and why you’re keeping/using it. Classify your data for confidentiality, for criticality, and for integrity
This advice is from BCS, the Chartered Institute for IT. Its complete guide to security is available at: www.bcs.org/security/toptips
