IT Security for your Business

IT security is means protecting your computer based equipment and information from unauthorised or unintended access, modification and damage. Almost all of us now use the internet to conduct our business, whether it's to market and sell our products and services, communicate with our customers and suppliers, and/or to carry out financial transactions online. The internet brings huge opportunities and benefits, but it also comes with risks.

Everyday there are many attacks on the IT systems of UK companies large and small, attempting to steal valuable information for financial gain and causing disruption to many businesses. Although you can never be completely safe online, you can manage the risks involved by adopting IT security best practices for your business.

Most online attacks can be prevented or detected with simple and straightforward security practices for your people, processes and IT systems. Just as you would lock your doors when leaving home and put your cash in a safe at the office, these security practises serve equal purpose and can help you manage your online security the same way you would protect other aspects of your business.

Understanding your risks

Directly at risk in the event of an attack is your money, your IT equipment and the information and IT-based services that this enables. Client lists, customer databases, your financial details, your customers' financial details, product designs, manufacturing processes, service offerings, your cost and pricing information, deals you are making and considering, and a myriad of other valuable information are information assets of your company that you must protect. Whether you store all this information in-house or via third-parties in the cloud, there is a risk to your IT services and the information it contains.

Your business competitors may be trying to gain a competitive advantage by launching an attack. Hackers may try to steal from you, attempting to compromise your valuable business information or disrupt your business. Or it could be people you already know and work with on a day-to-day basis. Disgruntled employees that hold a grudge, whether currently or previously employed by you, could compromise your business information by accident, through negligence, or with malicious intent.

Threats or attack vectors can be in the form of theft or unauthorised access to your business' computers, laptops, tablets and mobile phones. Attackers do not necessarily need physical access to your premises and can undertake remote attacks on your website or IT systems. They may also be able to do a lot of harm through third parties, such as through information held about you and your customers from hosted services providers or company bank accounts.

A single successful attack could seriously damage your business. Adverse impacts range from financial losses from theft of information, bank and financial details and outright electronic theft resulting in loss of money. Secondary losses result from the disruption to business and trading as a result of the attack, especially an acute problem if you rely on doing business online through ecommerce. In addition, there are numerous costs resulting from such incidents, such as the cost of cleaning up affected systems to get everything up and running again, fines resulting from personal data breach, and reputation damage leading to lost business of your customer base.

Plan, Implement and Review

Managing your information security risks needn't be complicated and can be distilled down to three iterative steps. Ask yourself the key questions outlined below as you begin setting out your information security best practice.

Plan

What information assets are critical to your business?
What kinds of risk could they be exposed to?
What legal and compliance requirements is your business subject to?
How could you continue to do business if you were attacked?
How can you manage these risks on an ongoing basis?

Implement

Have you put in place the right security controls to protect your equipment, information, IT system and outsourced IT services?
Do your staff know what their responsibilities are? Do they know what good practice looks like?
If you are attacked or something goes wrong, how will you deal with it and get back to business? Who will you turn to for help?

Review

Are you reviewing and testing the effectiveness of your controls?
Are you monitoring and acting on the information you receive from them?
Do you know what the latest threats are?

Asking the right questions will help you prepare to manage the risks to information security, and the answers to such questions should form guidelines of best IT security practice for your business. Many small businesses have suffered critical damage in a single security breach incident, and have never been able to recover sufficiently because they have not considered the risks and adverse impact of such an attack. Reduce your losses and minimise business disruption by taking action now, and don't leave it too late until after you've been attacked.