The Data Protection Act states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This is known as the seventh data protection principle and is explained in more detail on the Information Commissioner’s Office (ICO) website,
www.ico.gov.uk
Keeping your IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it, The measures you put in place should fit the needs of your particular business, They do not necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you already have.
The ICO have produced a guide (see link) to give small businesses practical advice in the area of IT Security. Read the guide.
What is in it for Small Businesses?
Breaches of data protection legislation could lead to businesses incurring a fine – up to £500,000 in serious cases. The reputational damage to a business caused by a high profile incident of data loss or theft could be potentially be of far greater value.
However, there are practical measures that businesses can put in place to prevent security breaches or limit the damage if they do occur. The ICO have produced a guide (see link) to give small businesses practical advice in the area of IT Security:
At a high level, these practical measures are:
Assess the risk to your business
Review the personal data that you hold and assess the risks to that data. With a clear understanding of the risks you can start to choose the security measures that are suitable to your needs,
Use a layered approach to security
There is no one product that can guarantee a 100% security for a business, however small or large the organisation. The key to effective security is to have a layered approach combining different tools and techniques. If one layer were to fail then others are in place to catch the threat.
Secure your data on the move
You need to ensure that the same level of security is applied to personal data on devices (e.g. laptop, tablets, mobile phone, USB drives, email messages, Social network messages and post) being used away from the office. Businesses can take steps to reduce the effects of a theft of a device or data by ensuring that personal data is either not on the device in the first place or has been appropriately secured so that it cannot be accessed.
Keep your systems up-to date
Computer equipment and software needs regular maintenance to keep it running smoothly and to fix any security vulnerabilities. Security software such as anti-virus and anti-malware needs regular updates in order to continue to provide adequate protection.
Monitor for problems
Cyber criminals or malware can attack your systems and go unnoticed for a long time. Many businesses only find put they have been attacked when it is too late even though the warning signs were there. It is therefore important that businesses monitor their systems for unusual activity on a frequent basis.
Minimise the amount of data stored
The Data Protection Act says that personal data should be accurate, up to date and kept no longer than is necessary. Over time a business may have collected large amounts of personal data. Some of this data may be out-of-date and inaccurate or no longer useful.
Make sure your IT contractors and IT Service Suppliers are doing what they should be with your data
Many businesses outsource some or all of their IT requirements to a third party. Businesses should be satisfied that they these third party suppliers are treating your data with at the same level of security as the business would.
How we can help...
The range of topics covered by the ICO guide can make attempting to keep the IT network safe and secure a daunting and complex task for a business. Moore Stephens offer specialist advice and guidance appropriate to your business to help you.
For further information, please contact the Moore Stephens IT Assurance team.