Five mistakes you may be making with your IT security

Spider on a white keyboardTaking basic steps to ensure your IT system is secure is obviously essential. We all know the importance of having a firewall and a data backup system, but it’s easy to slip up elsewhere and leave your firm exposed. Make sure you aren’t making any of these common mistakes with your IT security

1.  Failing to test your backups

It’s a nightmare scenario: your server has crashed, taking vital data with it. And when you reach for your backups, you find the files are corrupted.

“Businesses rarely check that they can restore data from their backup copy,” confirms Trevor Wood, consultant for Redline Digital Services. “For example, one of our clients had been backing things up religiously, but when they needed to restore the files, they found they hadn’t been saved properly.”

Trevor WoodIf you back up manually on tape or CD, the failure is most likely due to human error. You are bound to forget or be too busy at some point. Consider switching to an automatic cloud backup system which will copy your files to a server on the internet.

The solution:

If you’re taking regular data backups, test them periodically. “At the very least spot check: make sure you can recover the odd file here and there,” advises Trevor.

“It’s a good idea to try doing a full restore, too ― use your backups to recover all your software and data onto another computer to make sure it looks the way it should. A good IT supplier should be able to help with that.”

2.  Not protecting mobile data

From laptops to iPads and smart phones, greater use of mobile technology means you may be carrying a lot of valuable data when you’re out and about.

The obvious precautions are not always adequate. “Most people have a password on their laptop, but if I stole a laptop I could use a screwdriver to remove the hard drive then plug it into another computer to get the data off,” warns Trevor.

The solution:

Rob FranklinUse encryption to scramble your files so nobody can read them, even if they pull the hard drive out of your laptop. “Some versions of Windows offer encryption, or you can get free software, like TrueCrypt,” advises Trevor.

You should also minimise the amount of data you keep on mobile devices. “Access the files you need through Wi-Fi or a 3G mobile connection,” suggests Rob Franklin, director of JPT Solutions. “That way they won’t be stored permanently on your laptop or mobile phone at all.”

3.  Choosing the wrong cloud computing service

Cloud computing is a way of using the internet to store data and carry out tasks that you would otherwise do with your own computer. Many businesses are moving to the cloud, attracted by its low upfront costs and inherent flexibility.

However, if you use cloud computing services that run on servers outside the European Economic Area (EEA) to store personal data ― such as the names and addresses of customers or employees ― you need to ensure you comply with the Data Protection Act (DPA).

Under European law, companies may transfer personal data to such countries only when an adequate level of protection is provided. “A number of services are based overseas,” points out Trevor. “Although they are secure, legally you may not be allowed to use them to store some kinds of data.”

The solution:

Ask providers where their servers are located. “Get them to put in writing that they store your data in the EEA,” advises Trevor.

In practice, many cloud computing services outside the EEA operate from servers in the USA. If this is the case, make sure the provider is signed up to the US-EU Safe Harbor Framework. This guarantees that they meet European Commission requirements.

If your cloud computing service is based in another part of the world, it’s wise to seek advice from the Information Commissioner’s Office (ICO) before proceeding.

“Businesses which transfer data overseas need to be sure it’s as secure as it would be on their own premises,” warns an ICO spokesman. “But we’d only prosecute if it became evident that the business was not compliant with the DPA ― so didn’t have a contract in place, and hadn’t carried out checks to ensure that the cloud service provider had adequate security.”

4.  Letting employees walk off with your data

“Most businesses take steps to secure their physical assets ― they lock the door, set the alarm, and so on,” offers Rob. “But often those same businesses won’t secure their data.

“They’ll allow password sharing and they’ll let people copy data to USB sticks, so employees can walk out of the business with the whole client database, and then take that to a competitor.”

The solution:

“You can restrict the use of USB storage devices by using software like Trend Worry-Free Business Security to lock down the USB ports on your computers,” explains Rob.

“You need to decide which employees can be trusted to use USB sticks at work,” he adds. “For example, limit access to one or two machines which are used by managers. Then if other employees need to save data to USB, they need to ask permission.”

5.  Ignoring software updates

‘Updates are available for your software.’ It’s a frustrating message that invariably appears when you’re rushing to hit a deadline. However, failing to act on it can be dangerous.

“Some updates provide significant performance and security enhancements,” confirms Rob. “When people don’t take these messages seriously, it can lead to problems, especially if the updates are to antivirus software or other security programs.”

The solution:

If you only have a few computers in your business, you can install updates onto each manually. Alternatively, ask your IT supplier to set up a centralised update system, to roll out software updates soon after they are released.

“The latest version of Windows forces you to install updates when you shut down,” closes Rob. “It can be annoying if you’re in a hurry to leave the office, but at least it means you know the updates get done.”

James Caan on using gadgets at work

James Caan“I have to admit that I’m quite attached to my BlackBerry and iPad,” confesses James Caan, founder of private equity firm Hamilton Bradshaw. “As a small business you may have one phone for both personal and business use ― to check emails and keep in touch with family and staff alike. You might think that this is saving time and money, but using a personal device for work is a huge gamble ― unless it’s protected, it puts your business information at risk.”

The former BBC Dragon gave us his key tips on using gadgets in the workplace:

  • Beware free Wi-Fi ― ensure you keep business information safe when using wireless networks outside the office. Educate staff on the dangers of Wi-Fi hotspots at airports and in cafés, which can be a breeding ground for malware.
  • Secure mobile devices ― make sure your device is both password protected and encrypted.
  • Save passwords carefully ― don’t save security PIN numbers or banking information on mobile phones or the desktop of your laptop. If they are lost or stolen, you are making it easy for your identity to be exploited.

More information relating to IT security risks