Losing customer data is highly embarrassing for organisations and could lead to irreparable reputational damage and a crippling fine from the Information Commissioner’s Office (ICO). For a regulated industry, such as the finance or legal professions, the implications could be even greater. Whilst compliance to GDPR is essential for all businesses, regulated industries must adhere to stiffer compliance.
The adequacy of the IT Security within your organisation could mean the difference between compliance and non-compliance.
How your data is stored, backed up, archived and distributed will form part of compliance. Good practice will also reassure customers and prospects that you take your responsibilities seriously.
Storing, backing up and archiving data
Now that most sensitive data is stored electronically hackers will see this as a perfect target. Your organisation’s IT provision needs to remain at least one step ahead of the hackers.
Store data on servers that are:
- Within warranty
- Have all updates and upgrades carried out
- Are situated in a secure location
If on business premises the server should be in a room with strong security, such as fingerprint access. If off-site on a cloud server, specialist, recognised security software should be used in association with Multi Factor Authentication and a rigorous Password Policy.
Backups and archived files are obviously essential for any organisation, but once again these could be a target for unscrupulous individuals. Follow the guidance for Servers, above.
Inbound and outbound data
Data that comes into your organisation, and leaves it, is a target for security breaches. It’s also more difficult to control than data which remains purely within your business. Think Email.
Whilst you’ll have staff trained in what can be distributed, it’s also vital that rigorous email security software is in place. Alerts should be available so that any email which is potentially fraudulent gets flagged. Should an email breach the system it could cause staff to give away vital information by mistake. There’s also the risk of Malware infiltrating your systems allowing hackers to gain access to sensitive data.
Monitoring your systems and usage
Once you’re sure that data is stored securely and email security policies are in place, you need to make sure everything stays where it should, and is only accessed from trusted devices and by the people who are entitled to access the information. Proactive monitoring of systems, access logs, users and their associated privileges, and device compliance (is that remote-worker’s laptop still up to date with the latest protection/policies deployed?) reduces the likelihood of anything untoward happening on your estate. Tracking this activity, along with evidence of any remediations/improvements you implement will really help your case when discussing compliance with any 3rd parties such as customers, prospects, or regulatory inspectors.
Each organisation is different, and you will be aware of the controls by which you need to adhere. At Net Primates we can provide the IT Security knowledge to allow you to comply. If you’re not sure whether your organisation is fulfilling its security responsibilities then please get in touch to discuss your individual requirements.