IT Security – a Strategy not just a Sticking Plaster
From time to time, you may be requested to complete a form to demonstrate your company is serious about IT security.
We are often asked to support clients with this – it’s very common for FCA regulated businesses.
Whilst completing the form is pretty straightforward, it can feel like it’s a sticking plaster rather than a strategy.
What do we mean by that?
Rather than just ticking boxes to confirm policies are in place, what about stepping back and really looking at your business?
Is the company serious about IT and data security, and what would that look like?
Here are some of the things we recommend:
- All staff have regular IT security training
- Regular testing to ensure training is embedded – this is usually mock phishing emails
- Passwords – do you have protocols to force regular password updating? Do you make sure all staff use a secure password storage app such as LastPass, rather than their browser?
- Multi-factor authentication – is this set up for all devices to ensure users are trusted before they access systems?
- Data access – are controls in place to ensure all users only have access the information they need to carry out their duties effectively?
- Data control – do you have the protocols in place to enable you to track all of your data – where it’s filed, when it was edited and by who?
- Penetration testing – we work with a trusted partner who can ethically “hack” your business/systems to test how easy it is to get through your existing security measures
- Patch management – do you have a process in place to ensure all machines are regularly updated with patches for all software and operating systems? Do you spot check that to make sure it happens?
- Anti-virus software – do you have this installed on all desktops and laptops?
- Restore of backups – to ensure backups are effective and can be used if needed. It’s always best to test this when everything is working effectively, not wait until there is a disaster
- Lock screen – is this set up for all devices to ensure data is secure if a user leaves the device unattended for a period of time?
- Storage of company devices – leaving laptops under chairs when in a bar, or on the back seat of a car, is just an invitation. All devices should be stored away from prying eyes and secured to reduce the risk of theft.
Taking out insurance to protect against ransomware attacks and phishing may also be worth you considering.
Many of the protocols and things we have shared for consideration can be controlled via the Microsoft 365 portal.
You can set up the parameters across the company, or drill down into specifics dependent on the nature of the work being carried out in each department.
Making IT security a true strategy in your business is not going to make it 100% risk free – there’s no such thing. However, it will significantly reduce the risk, and keep the compliance bods happy. And just as important – it will help you sleep at night!
Additional peace of mind can also be achieved through security accreditation. We have achieved the Cyber Essentials Plus certification, and going through that process was a good exercise in reflecting on what’s really in place across the business.
And, on that subject, why don’t we help you lift the bonnet on what needs fixing in your business?
We offer an in-depth IT security audit where we identify the specific risks for your business together with our recommendations. Please let us know if you would like to arrange this – 01784 437 123.