Threats to your data can be internal to your business as well as external. Hackers can access networks that are not properly secured, thieves can break into your office and steal equipment or your own staff could carry your data out of the office on portable media.
External threats by hackers are expected and the risks can be reduced through the security measures discussed on this website. Internal threats are more difficult to anticipate but can be equally devastating to your business. Staff may remove data inadvertently or on purpose for financial gain or revenge.
Data is very easily transported out of your office using writable CDs or DVDs, USB drives, MP3 players or mobile phones. All of these devices can all hold large amounts of data and are a discreet way in which an employee could copy data and walk out of the office without you ever knowing.
You need to think carefully about where you store data and how you secure it physically and electronically, who has access to it and what devices you allow staff to connect to your computer network.
- Undertake a risk analysis as part of your business security planning. Develop a plan for how to prevent, detect and respond to threats if they occur.
- Create individual user accounts for all staff that have access to your computers. This will allow you to control who can access your business data by restricting access to drives and folders to specific user accounts.
- Develop clear policies for employees using your computer network. Ensure that they understand what equipment and data they can access and how they should handle confidential or business-critical data.
On this page
- Undertake a risk analysis
- Control access to your computers and data
- Install Data Loss Prevention (DLP) software
- Implement access and use policies
Undertake a risk analysis
Undertake a risk analysis as part of your business security planning ensuring that you consider your exposure to data theft and the impact it would have on you business. You should:
- identify what data you have, whether it is business data or customer data and categorise it e.g. financial, personal, operational, etc
- identify how critical it is to your business. Data collected from customers may be particularly sensitive (credit card details, personal addresses and phone numbers, etc) if it were stolen. Your business has legal responsibilities regarding the privacy and protection of customer data.
- identify the impact on you business if this data is stolen
- identify where and how your data is currently stored and who has access to it both physically and electronically
- identify how and when this information is used in your day-to-day operations and by whom.
One you have identified the key areas of risk, develop a plan for how to prevent, detect and respond to them if they occur. Develop clear polices and procedures to ensure that the plan is implemented effectively and that staff understand their responsibilities.
Control access to your computers and data
You should only provide access to your computer network and data to those that need it to do their job. Determine staff's access to data on a need to know basis. Consider how to separate staff roles and responsibilities so that you can segregate data more effectively.
Create individual user accounts for all staff that have access to your computers. Having separate user accounts will allow you to control who can access your business data by restricting access to drives and folders to specific user accounts.
This will allow you to manage what level of access they have and potentially monitor transfer of data by external media or email.
Most operating systems allow you to create Standard or Administrator level accounts. It is recommended that normal users have accounts without the ability to install software (Standard accounts) as this greatly reduces the chance of spyware or viruses being installed without their knowledge.
If you have employees that occasionally need to install or modify software, create two accounts for them. Create one as a Standard account and one as an Administrator account. They should only use the Administrator account when they need the additional privileges.
Install Data Loss Prevention (DLP) software
You can install Data Loss Prevention (DLP) software that can be used to disable USB ports or to monitor or restrict the copying of files to USB devices. This software can be set to silently monitor transfers or actively stop users from transferring data.
Implement access and use policies
You should develop policies that outline what equipment and/or data your staff can access and how they should handle confidential or business-critical data. You should also outline the consequences for breaches of the policy as this can act as a deterrent and can ensure staff take the requirements seriously.
Your policy should cover:
- who can access business equipment and/or data
- how different types of data and specifically confidential information should be treated, including restrictions on emailing data
- use and security of passwords including locking access when away from the desk and logging off at the end of the day.
- restrictions on installation of programs and software
- use of remote access, particularly securing equipment and or the connection from
- working from home, if allowed, particularly secure transfer and storage of data in a home environment
- restrictions on use of computers for storing personal files such as music or video
- details of any monitoring activity you will undertake, if any
- consequences of breaching the policy.