SME business guides | MD business tools | leadership advice

5 IT Security Questions Every MD Needs to be Asking Their Team

Written by Neil Douglas | 19/02/16 12:21

One business trend that is guaranteed to gain traction in 2016 is data security – with the recent spate of cyber attacks on high-profile targets such as TalkTalk, V-Tech and Ashley Madison forcing many business owners to re-think their online security strategies.

Witnessing the devastating effects of these criminal acts through mass media highlights just how important data security has become to 21st Century businesses. The BBC reported that the TalkTalk hack could end up costing the network provider up to £35 million in one-off costs. These additional costs include covering the response to the incident, additional IT and security infrastructure, increased calls to the call centre and, of course, lost revenue due to the inevitable fall in consumer confidence.

While it’s easy to think this will never happen to your business, it pays to be prepared – and as the head of your business, the responsibility for keeping your team security savvy lies with you.

Cyber attacks, if successful, can have a detrimental effect on company finances, but they can also have a negative impact on other aspects of your business. These include damage to brand reputation, depleted staff morale and potentially damaging sanctions from authorities such as the Information Commissioner’s Office. This final point can cause major public embarrassment, especially if the security breach is significant enough to make headlines in the press.

Although technology is a major factor in online crime, it takes a back seat compared to the human element. According to IBM's 2014 Cyber Security Intelligence Index, human error was responsible for as much as 95% of all online security incidents.

1. Are they regularly updating hardware and software?

Most enterprise hardware has a life expectancy of around five years and it’s your team’s job to be keeping on top of this. We would recommend planning and budgeting for technology refreshes around this time frame to keep your machines current - and more importantly, to maintain their warranty. Most manufacturers and reputable IT departments won't support machines that are out of warranty - making them ideal targets for hackers and cyber criminals.

The same rules apply to software. It’s crucial that you keep all software and apps up to date with the latest version throughout your organisation to reduce your exposure to online threats.  If your company website sits on a content management system (CMS), ensure you keep it up to date with the latest version - likewise with all third party plugins that are part of the company website.

2. Are they taking password management seriously?

 It’s essential that you make sure all staff members understand the risks to your organisation from external hostile sources. It’s best practice to undertake a series of workshops with a reputable external security contractor or your existing IT provider to educate your staff on how to mitigate risks to company data and raise awareness of cyber attacks and threats.

It goes without saying that your team shouldn’t be sharing their passwords with others, but it’s also important that they regularly change their passwords to reduce the risk of accounts being hacked. Sending out an email every three months (at a minimum) requesting staff change their passwords is one way to protect your company’s secure information.

While your staff might be keeping quiet about their passwords, are their choice of characters strong enough to stop hackers cracking them? Strong passwords protect all mobile devices and Internet-facing parts of your business – and with many security incidents occurring as a result of weak passwords that are easy to break, it’s crucial you pick strong and different passwords for your accounts.

 While it’s important that you trust your team, when it comes to cyber security, you can never be too careful. A staff member should only have access to the accounts they need to carry out their job. And if a member of the team leaves, it’s crucial that you change all passwords to the accounts they have access to.

3. Do they understand company data protection policies?

Changing organisational behaviour and implementing robust policies to safeguard company data is another important step. Ensure your staff are well drilled in policies relating to mobile device management, device encryption and the safe carriage of external storage devices such as removable hard drives and USB drives.

Not all company data assumes a critical level of importance. We suggest undertaking an audit of all company data and making an effort to ring-fence the most important and sensitive information whenever possible. Focus most of your efforts on customer data, including credit card details, email addresses and personal information; such as account passwords and customer date of birth.

4. Do they understand the backup plan?

 In the real world, businesses have a finite amount of resources to throw at online security efforts. As such, there is no absolute guarantee that your business won't be affected by cybercrime at some point in the future – which is why it’s more important than ever to have a managed data backup in place.

Whether you take on this responsibility or delegate the job to a member of the team, monitoring and testing your security will mean that potential security threats are less damaging. Should you be affected by online crime, having a backup will let you restore your company information and resume business activity at the very least.

5. What are they doing to enhance the company’s data security?

With smaller business owners thought to be at higher risk of cyber crime than others in their industry, it’s crucial that your team are aware of the threats facing your business. By reviewing their understanding of cyber security and what it means for your business, you can potentially safeguard your company from damaging attacks. Think about the following:

  • Do they understand why these processes are in place?
  • Are they regularly changing their passwords?
  • Do they understand their individual role and responsibility in the safeguarding of company data?
  • Do they know who to tell if they have any security concerns? 
  • Do they know who to report a suspected breach or loss / theft of a device to?

By ensuring your team are clued up on data security, you will move your business one step closer to a safer cyber future.