Key Components of a Robust Security Plan Every SMB Must Know

 

Most businesses are now technology dependent. This means security concerns aren’t just worrisome to large corporate enterprises anymore, but also the neighborhood sandwich shop, the main street tax advisor, and the local non-profit. Regardless of size or type, practically any organization has valuable digital assets and data that should not be breached under any circumstances. Any business that collects, accesses and stores sensitive client, customer and employee data has an obligation to safeguard this information. With the impending General Data Protection Regulation (GDPR) in May 2018, data protection is fundamental for any business wishing to remain competitive and survive.

To effectively protect your business and its reputation, you need to develop and implement a robust security plan. Your plan should encompass all aspects of your enterprise, from physical access to theft; most importantly, your IT infrastructure must be adequately protected against hacking, virus and malware, and other forms of cybercrime aimed at data breach. As your business changes and grows, you’ll need to modify your security plan accordingly.

Devising a security plan for your technology means defining and outlining acceptable uses of your network and business resources to counteract inappropriate access and use. When establishing your plan, you need to consider four key components: network security policy, communications policy, privacy policy and consequences of inappropriate use.

Network Security Policy:

Limitations must be defined when it comes to acceptable use of the network.  Passwords should be strong, frequently updated, and never shared. Policies regarding the installation and use of external software must be communicated.

Lastly, if personal devices such as laptops, tablets, or smartphones are accessing the network, they should be configured to do it safely, which can be done easily with a reliable Mobile Device Management (MDM) solution.

Communications Policy:

Use of company email and Internet resources must be outlined for legal and security reasons.  Restricting data transfers and setting requirements for the sharing or transfer of digital files within and outside of the network is recommended. Specific guidelines regarding personal Internet use, social media, and instant messaging should also be clearly outlined. If the company reserves the right to monitor all communication sent through the network, or any information stored on company-owed systems, it must be stated here

Privacy and the GDPR

In accordance with the current UK Data Protection Act (DPA), you need to guarantee the privacy of company and client data. Restrictions should be set on the distribution of propriety company information, the copying of data and the length of time for which data is stored.

The GDPR promotes the practice of ‘privacy by design’, an approach that is cognisant of privacy and data protection compliance from the start of any process that is data reliant. Privacy by design is particularly applicable in the context of building new IT systems for storing or accessing personal data, embarking on a data sharing initiative or using personal data for new purposes.

With the implementation of the GDPR just around the corner, it’s a wise move to ensure that your SMB is compliant with all the regulations for accessing, using and storing personal data. When your enterprise applies privacy by design, you are minimising privacy risks and building trust with stakeholders. Privacy by design is protective and preventative end-to-end data protection and shows that your SMB has privacy embedded into your IT architecture and business practices.

Privacy by design means that potential problems related to data protection are identified early on, your employees will have an increased awareness of data protection, and your SMB will be more likely to meet legal obligations and thereby avoid costly breaches of the GDPR.

Inappropriate use:

Your well-structured and clearly defined IT security plan should comprehensively cover your network, communications and privacy. From this premise, you should assume that your employees are fully aware of their obligations in terms of data protection and privacy. The consequences of any attempt to distribute viruses, hack systems or engage in any other form of cybercriminal activity should be integral to your IT security plan.

Your employees should also be fully aware of your SMB policy on web browsing. You may wish to restrict or in some cases prohibit access to certain website via your network, even if individuals are using personal devices. For instance, downloading movies or music from peer-to-peer file sharing sites via a BitTorrent protocol is an unacceptable and exploitative use of company internet resources.

Every employee must know these policies and understand the business and legal implications behind them.  Companies must also make sure these policies are clear and understood by all, and most importantly, strictly enforced.

Leave a Reply

Your email address will not be published. Required fields are marked *