Small Business Data Security Requirements Summary

Business Legal requirements under Data Protection Act 1998

Identify/nominate the Data Controller:

10 practical ways to keep your IT systems safe and secure:

"Keeping your IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. If you have personal data within your IT system you need to recognise that it may be at risk and take appropriate technical measures to secure it. The measures you put in place should fit the needs of your particular business…"

1: Assess the threats and risks to your business

What aspects of your business are totally IT dependent? What is the worst case scenario e.g. catastrophic system/hardware failure (then no current backups/lost software licenses/insurance etc) and best actions to prevent that, or then recover from total loss in that worst case? What functionality do you still have with no IT systems – if any?

2: The UK Government's Cyber Essentials Scheme describes the following five key controls for keeping information secure. Obtaining a Cyber Essentials certificate can provide certain security assurances and help protect personal data in your IT systems.

a) Boundary firewalls and internet gateways

b) Secure configurations (gear dependent – e.g. check for insecure default settings like Admin passwords, open ports)

c) Access control – username/password for relevant access to specific resources

d) Malware protection – periodic automated malware scans with reporting set up

e) Patch management and software updates (Windows, Apple and Linux) – set to auto updates as a general rule  (systems/service/software dependent!! Updates can break stuff!)

3: Secure your data on the move and in the office – physical media and data encryption considerations?

a) The physical security (different to logical data access): e.g. a server/patch cabinet – fire, theft, flood etc; use of off site backups – hardware/cloud/both?; user access to USB stick ports (data theft, virus introduction threats at user account priviledge); network access for unauthorised wifi hub/device additions?

4: Secure your data in the cloud (and devices like work laptops, memory media, storage)

Do you use unencrypted cloud backup services??? You client lists, business plans etc. are at risk of a security breach of the provider. Even if encrypted, password hacking may be possible for access to it.

5: Back up your data – (storage is cheap now  – NO excuse for this not to be in place!!)

robust multiple data instances backup strategy in place – periodically check your backups WORK!

off site physical media backups security checks and cloud backup provider obligations;

6: Train your staff

Why security and system use policies are required and need adhering to.

"Accidental disclosure or human error is also a leading cause of breaches of personal data. This can be caused by social engineering, sending an email to the incorrect recipient or opening an email attachment containing malware…What can I do? Employees at all levels need to be aware of what their roles and responsibilities are. Train your staff to recognise threats such as phishing emails and other malware or alerting them to the risks involved in posting information relating to your business activities on social networks. You should encourage general security awareness within your organisation. A security aware culture is likely to identify security risks"

7: Keep an eye out for problems

"What can I do? Check your security software messages, access control logs and other reporting systems you have in place on a regular basis. You should also act on any alerts that are issued by these monitoring services. Make sure you can check what software or services are running on your network. Make sure you can identify if there is something there which should not be. Run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities – make sure you address any vulnerabilities identified."

8: Know what you should be doing

Security policies put in place and knowing why:

"what actions you should put into place should you suffer a data breach. Good incident management can reduce the damage and distress caused to individuals."

Basic Security Concepts – Principles For Any System or OS

9: Minimise your data

"The DPA says that personal data should be accurate, up-to-date and kept for no longer than is necessary. Over time you may have collected large amounts of personal data. Some of this data may be out-of-date and inaccurate or no longer useful."

10: Make sure your IT contractor is doing what they should be.

"Many small businesses outsource some or all of their IT requirements to a third party. You should be satisfied that they are treating your data with at least the same level of security as you would…Ask for a security audit of the systems containing your data. This may help to identify vulnerabilities which need to be addressed. Review copies of the security assessments of your IT provider. If appropriate, visit the premises of your IT provider to make sure they are as you would expect. Check the contracts you have in place. They must be in writing and must require your contractor to act only on your instructions and comply with certain obligations of the DPA Don't overlook asset disposal – if you use a contractor to erase data and dispose of or recycle your IT equipment, make sure they do it adequately. You may be held responsible if personal data gathered by you is extracted from your old IT equipment when it is resold."