Keeping your IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it. The measures you put in place should fit the needs of your particular business. They don’t necessarily have to be expensive or onerous. They may even be free or already available within your IT systems.
So says the start of a 20-page guide, from the data protection watchdog, the Information Commissioner’s Office (ICO), titled A practical guide to IT security. It’s aimed at small businesses.
Simon Rice, Group Manager for Technology at the ICO said: “We first released the guide in 2012 and whilst some new threats have emerged the classic security issues are still important to address.”
The document suggests the Government’s Cyber Essentials scheme as a self-help tool; there is no single product that will provide a complete guarantee of security for your business. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security.
Besides the physical access security of an office or workplace, the guidance touches on malware protection, patch management and software updates, and remote computing facilities – commonly known as the cloud. “Processing data in the cloud represents a risk because the personal data for which you are responsible will leave your network and be processed in those systems managed by your cloud provider. You therefore need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.”
The ICO also points to the human side of information security: “Your employees may have a limited knowledge of cyber security but they could be your final line of defence against an attack. Accidental disclosure or human error is also a leading cause of breaches of personal data. This can be caused by simply sending an email to the incorrect recipient or opening an email attachment containing malware.”
