How to keep your business data secure

Data security

When people think of data security, they often think of passwords and that is an important point. But really, they need to be considering every single step of the data journey where a piece of data may be handled or processed. Before we jump into outlining how to do this, we should quickly cover a few points as to why this is important.

1. There are laws around data protection and if you don’t follow them, you may be prosecuted or fined 
2. You are (hopefully) contractually obliged, whether to clients, customers or employees, to keep data secure
3. Reputationally, if you make any mistakes then it will make people wonder if you can be trusted enough for them to use your services
4. It can help to protect you and prevent anything from being stolen from your business

So now you know why you should keep data secure, let’s take a look at a few ways to do this.

Establish a data security policy

You should create a data security policy to ensure that you and anyone you work with follows the correct processes. Checking how you protect data now and then is not enough. By having a policy that is regularly reviewed and updated, you can be sure that any risks have been identified and mitigated and data is processed in the right way. In this policy, you should identify all points at which data is taken, processed, stored and deleted. It should also cover things like how employees use any devices outside of the office i.e. they shouldn’t log on to public wifi spots unless logged in to a VPN. 

A full audit may help you to realise the intricate path data can take and just how many chances there are for something to go wrong. This will then help you to understand what the policy should cover. With this policy, you can pre-empt all of these. All members of your team who handle data should be given training on the policy and made aware of just how important it is. This is to prevent any problems in the first place, but also to demonstrate that should anything unfortunate happen, the blame doesn’t lie with you. That sounds a little heartless, but given the ICO can issue pretty large fines, you are unlikely to be given one of these if you can show you had done all you possibly could. Human error happens and they accept this. If it happens more than once, then they may be questioning if it was an error, or was it a lack of procedure or training. If it is the latter, then you are much more likely to be given a fine.

One important point to note though is that just because you have a policy and train staff on it, it doesn’t mean you will avoid punishment. You have to ensure a member of staff can follow it and that the training is thorough. Responsibility for data protection will always remain with a business owner and the ultimate data controller.

Use a VPN

VPNs are brilliant and we love them. A VPN creates a private network from a public internet connection. They provide a secure and encrypted connection to ensure data processed is kept secure. A VPN also allows a user’s device to access resources that are usually only found locally within the office, such as printers and shared drives. The main advantage over other solutions is their security and simplicity.

We generally use Draytek for our smaller IT support clients and Cisco Meraki for larger companies we work with. Both provide strongly encrypted links to the office but Meraki is more stable and has more capacity. There are two types of VPN:

• Client VPN – this is where a user connects from their device to the office
• VPN Tunnel/Tunnel Mesh – this links entire sites together

We can advise what is best based on your business and needs, but would just recommend this is done immediately if you don’t have one already and is a priority when setting up a new business.

Access to data

Following on from the above, ensure that data is only accessed by those who need it. If you have more people being able to have access to it (even if they don’t), then it increases the chance of a breach. Furthermore, under the GDPR you may have consent for this data to be processed, but it should only be processed for the purpose that you collected it for. If it is accessible by others who won’t actually use it for this purpose, then you have to ask, was it collected for that purpose? If not, then technically do you have consent for those other people to be able to access it?

On another point of access, make sure that before access is given, your employees have been through appropriate checks. These could be background checks (depending on the data you handle, this could be essential), ensuring data security training has been provided or is up to date and how your remote working systems are set up (put this in place now rather than waiting for another pandemic). Furthermore, any devices or systems they use need to be appropriately secure such as mobile devices, password managers and USB ports. Just a final point on passwords – while it is always a good idea to have a strong password, a password manager will make it a lot easier to create and store these. That way hopefully you never catch someone out with the classic Password123 password, as there is really no excuse for that!

Data storage and back-up

Ensure that your data storage and back-up systems are secure. Our general aim is to be able to retrieve a file that has been deleted/overwritten/moved for 3 months after the event. Where we recommend a cloud-based system, we use Microsoft Sharepoint and this offers a version history of each file and retention of overwritten files. Microsoft provides the resilience for physical failures on their systems. 

If it’s locally-based (on-premise) we like to implement a 3-2-1 policy, 3 backups, 2 onsite, 1 offsite. The first onsite backup is a general version history (shadow copies in Windows for example), the second is a backup to a local drive or NAS. The offsite backup is generally through Acronis as they let us take a full system image of the server that can be restored to any machine in the event of disaster recovery. They also provide email notifications of successes and failures. Physical resilience is provided on the server/NAS through a RAID array. The key feature with all of the solutions we advise is automation, as human error is often the greatest weakness.

Removing data

We touched on deleting data in our first point on a data security policy, but this does need its own section. This is because destroying data is often where people slip-up. You need to have an effective data disposal procedure so once data is no longer required or you don’t have consent for it any more, it isn’t simply sent to your trash and considered finished with. There are ways to really be thorough, such as data security software or even using the software you have already. Should you need to retain data for a particular reason, you can pseudonymise it or anonymise it. If you are going to go with pseudonymisation, just be sure that any corresponding data you may have cannot possibly be used for identification.

Computer software

Make sure you have software to protect your hardware and software. We use Sophos Central; it’s a business only endpoint protection. It scans every file a user opens to prevent viruses before they can attack. One of the key features from our point of view is that we set it up to get email notifications if a user is out of date or compromised. This means we don’t have to wait for someone to tell us if they think they have a virus – we can be quick to respond and either prevent a problem by updating a user, or act fast if there has been an incident.

Security updates

Once you have done all the above, you can’t see it as a job done that you can simply move on from. With IT and the online world, everything moves quickly. Vulnerabilities in software are identified and hackers get more sophisticated in their approaches. We have seen over the past few years that hackers don’t just target big corporations, but they do often go after smaller businesses. They probably see them as an easy way to make money and are likely to assume less effort is involved when it comes to hacking them. You cannot assume it won’t happen to you. It may have not so far, and for that you are lucky, but it only takes one little window in your security processes for them to be able to exploit. Some hackers will ask for a ransom, others may simply want to use something on your data for a bigger scam and sometimes, there doesn’t even seem to be a logical reason. 

By carrying out regular updates, you can ensure that your vulnerabilities are reduced and addressed. These updates apply to all of the points set out above – your data security policy, access to data, storage and back-up etc. By regularly putting reviews of your processes in your schedule, it should stay in front of mind and a high priority that is never ignored.

Get up to date

Data security is becoming increasingly important, especially as technologies develop and more is being done online. With the recent pandemic, we had to support a huge number of clients to ensure they have the appropriate remote working set up, and in this process, discovered many that had flaws in their data security systems. This is worrying as for their clients or customers, they could have a data breach but also any attack or human error could damage how their business works. 

At a time when many businesses are focused on trying to return to normal operations, a disruption or breach could be fatal to their future. We would urge all companies to review the list above and make sure that this has all been implemented or is in the process of being updated. 

We work with clients in Essex, and in London providing IT support services. If you are a small start-up or a larger organisation, we can advise on your security systems and processes, and get you set up with whatever you need. Whatever you need, make sure data security is a priority for your business.