If sensitive data plays any role in your small business, you need to protect it. Sensitive data can be email correspondence with a client, payment information, financial records, personal identification used to approve or secure services or loans, health related information, legal case file information and more. With more advanced and complex IT systems constantly evolving, the bad guys out there are doing the same—to breach your systems and illegally obtain your data.
If you don’t have a documented data security policy, there’s no way to make sure your employees are following it. All businesses, big and small, should define their policy, clearly communicate and post their security policies, and train their employees to make sure they understand what is required of them in protecting your IT assets, clients, and people.
A big mistake growing companies make is to act like they still have only a handful of staff when they are expanding and rapidly adding new employees. As data needs and staff expand, your approach to security must be exponentially more vigilant. Document your security policy and make sure all staff (new and old) are trained in the procedures that secure your data.
Now is a good time to hire an IT Consultant to help you assess your vulnerabilities and set up data protection measures to protect your business and reputation.
How to Create a Data Security Policy For A Small Business
Where do you start? You can look at other companies’ policies, but there’s a good chance that none of them are going to be right for your business, as your data and servers may have unique features based on the work you do and the needs of your SMEs. To create an appropriate and effective security policy, you must:
- Identify your IT assets.
- Assess vulnerabilities in those assets.
- Determine what needs to change in your present standard operating procedures and systems.
It's best to work with a trained IT Professional when creating your small business IT security policies. A network security audit is a good way to assess vulnerabilities in your data assets, but many companies find they need to add layers of security that are not already in place. This can feel like a hard up-sell, when in fact it is best practices being recommended. Most small businesses fall behind in best practices in network security, as they don't employ a trained IT professional. This lack of IT oversight can increase risk of breach or ransomware, and can also cause a pile up of upgrades to be needed all at once, resulting in a jarring sticker shock effect.
A network security audit is not a sales call disguised as a "free consult". This is a valuable paid service whereby you hire a consultant to perform an independent and thorough review of your IT systems, to provide you with detailed reporting to help you understand your cyber security gaps, shop for solutions or providers, plan immediate changes and create an IT budget for future needs. Of course, any consultant will toss their hat in the ring to win your business, but an initial impartial, no strings attached deep dive review can be invaluable for any small business without an in house IT Department.
5 Ways To Protect Company Data
1.Install a Firewall AND Anti-Virus Software with Active Filtering
A common source of security breaches nowadays is official-looking emails that employees click unwittingly. Don’t leave it up to employees to have the necessary discretion, as many sketchy emails can look entirely authentic. Using a system-wide commercial anti-virus (AV) software can protect your company email server. AV software is often a better choice than multifunction appliances, as they are more scalable and can adapt as your company and data needs grow.
If you have a private network, you need a firewall to protect the server from cyber-attacks. If only a small group of SMEs are accessing critical data on the server, you may be able to get away with appliance-based firewalls, but a larger operation should consider using a firewall with packet filtering, especially if you’re going to allow remote access.
2. Train Employees To Spot Phishing Scams
If your people are in constant contact with clients, they should all be aware of potential phishing scams that target sensitive data. Phishing scams can take the form of emails or phone calls in which bad actors pose as clients to get sensitive information. If your approach to verifying clients is not well-defined, then protocols for verifying clients should be standardized and included in your company policy.
3. Restrict Access to Data
Many recent data breaches have resulted from not restricting employees’ access to data. It should be clear to everyone which employees are allowed to access to which data, and you may need to restrict access to make this happen.
4. Perform Data Wipes
We all know about shredding sensitive paper-based data, but do you consistently wipe data from devices and computers before they are trashed or sold? If you have a devoted IT person on staff, you probably do, but you’d be surprised how many smaller businesses skip this step. Beyond devices you intentionally trash or sell, you should also have the capability to enact remote wipes for devices such as phones, tablets and laptops, should they be lost or stolen.
5. Enforce Strong Passwords
Employees may gripe about having to change their passwords frequently, but being vigilant about password security will protect you, especially if you allow remote access to data. Enact strong password requirements. It is no longer recommended to update passwords every 90 days. To learn more, download our updated Password Policy Guide For Small Business.
Cyber Security Consulting in Toronto ON: If you need help assessing your IT security systems in the greater Toronto area, TUCU can help. Established in 2003, we offer cyber / IT security consulting, remediation and support services. Please call us today for a free consultation to discuss your needs and how we can help.