Taking basic steps to ensure your IT system is secure is obviously essential. We all know the importance of having a firewall and a data backup system, but it’s easy to slip up elsewhere and leave your firm exposed. Make sure you aren’t making any of these common mistakes with your IT security
It’s a nightmare scenario: your server has crashed, taking vital data with it. And when you reach for your backups, you find the files are corrupted.
“Businesses rarely check that they can restore data from their backup copy,” confirms Trevor Wood, consultant for Redline Digital Services. “For example, one of our clients had been backing things up religiously, but when they needed to restore the files, they found they hadn’t been saved properly.”
If you back up manually on tape or CD, the failure is most likely due to human error. You are bound to forget or be too busy at some point. Consider switching to an automatic cloud backup system which will copy your files to a server on the internet.
If you’re taking regular data backups, test them periodically. “At the very least spot check: make sure you can recover the odd file here and there,” advises Trevor.
“It’s a good idea to try doing a full restore, too ― use your backups to recover all your software and data onto another computer to make sure it looks the way it should. A good IT supplier should be able to help with that.”
From laptops to iPads and smart phones, greater use of mobile technology means you may be carrying a lot of valuable data when you’re out and about.
The obvious precautions are not always adequate. “Most people have a password on their laptop, but if I stole a laptop I could use a screwdriver to remove the hard drive then plug it into another computer to get the data off,” warns Trevor.
Use encryption to scramble your files so nobody can read them, even if they pull the hard drive out of your laptop. “Some versions of Windows offer encryption, or you can get free software, like TrueCrypt,” advises Trevor.
You should also minimise the amount of data you keep on mobile devices. “Access the files you need through Wi-Fi or a mobile connection,” suggests Rob Franklin, director of JPT Solutions. “That way they won’t be stored permanently on your laptop or mobile phone at all.”
Cloud computing is a way of using the internet to store data and carry out tasks that you would otherwise do with your own computer. Many businesses are moving to the cloud, attracted by its low upfront costs and inherent flexibility.
However, if you use cloud computing services that run on servers outside the European Economic Area (EEA) to store personal data ― such as the names and addresses of customers or employees ― you need to ensure you comply with the Data Protection Act (DPA).
Under European law, companies may transfer personal data to such countries only when an adequate level of protection is provided. “A number of services are based overseas,” points out Trevor. “Although they are secure, legally you may not be allowed to use them to store some kinds of data.”
Ask providers where their servers are located. “Get them to put in writing that they store your data in the EEA,” advises Trevor.
In practice, many cloud computing services outside the EEA operate from servers in the USA. If this is the case, make sure the provider is signed up to the US-EU Safe Harbor Framework. This guarantees that they meet European Commission requirements.
If your cloud computing service is based in another part of the world, it’s wise to seek advice from the Information Commissioner’s Office (ICO) before proceeding.
“Businesses which transfer data overseas need to be sure it’s as secure as it would be on their own premises,” warns an ICO spokesman. “But we’d only prosecute if it became evident that the business was not compliant with the DPA ― so didn’t have a contract in place, and hadn’t carried out checks to ensure that the cloud service provider had adequate security.”
“Most businesses take steps to secure their physical assets ― they lock the door, set the alarm, and so on,” offers Rob. “But often those same businesses won’t secure their data.
“They’ll allow password sharing and they’ll let people copy data to USB sticks, so employees can walk out of the business with the whole client database, and then take that to a competitor.”
“You can restrict the use of USB storage devices by using software like Trend Worry-Free Business Security to lock down the USB ports on your computers,” explains Rob.
“You need to decide which employees can be trusted to use USB sticks at work,” he adds. “For example, limit access to one or two machines which are used by managers. Then if other employees need to save data to USB, they need to ask permission.”
‘Updates are available for your software.’ It’s a frustrating message that invariably appears when you’re rushing to hit a deadline. However, failing to act on it can be dangerous.
“Some updates provide significant performance and security enhancements,” confirms Rob. “When people don’t take these messages seriously, it can lead to problems, especially if the updates are to antivirus software or other security programs.”
If you only have a few computers in your business, you can install updates onto each manually. Alternatively, ask your IT supplier to set up a centralised update system, to roll out software updates soon after they are released.
“The latest version of Windows forces you to install updates when you shut down,” closes Rob. “It can be annoying if you’re in a hurry to leave the office, but at least it means you know the updates get done.”
“I have to admit that I’m quite attached to my BlackBerry and iPad,” confesses James Caan, founder of private equity firm Hamilton Bradshaw. “As a small business you may have one phone for both personal and business use ― to check emails and keep in touch with family and staff alike. You might think that this is saving time and money, but using a personal device for work is a huge gamble ― unless it’s protected, it puts your business information at risk.”
The former BBC Dragon gave us his key tips on using gadgets in the workplace:
More information relating to IT security risks