We arrived at work on Friday to find that persons unknown (that’s the polite term for them) had smashed their way into our beloved studio and helped themselves to some of our valuable computer kit. Of course all our client work was safely backed up but it was a pain to clean up the broken glass, buy new hardware, transfer files onto new machines, deal with the police, sort out the insurance, and write about it on Facebook and on this blog.
When disaster strikes you either kick yourself for not being better protected or breathe a huge sigh of relief that you took precautions and prevented an even worse situation. How would you fare if something happened to your business IT?
It’s not just burglary you need to think of. Cyber security means protecting your hardware, software, sensitive data and intellectual property from unauthorized access, distortion, theft, or damage, by setting up good policies and processes. Yawn..! Yes – it’s not exciting but it IS important – especially if it’s important to your customers.
You need a plan, man
First you need to audit what you need to protect – your equipment, client data, proprietary content product/pricing/contract details, and other information such as your customer databases, financial details, and key documents.
What are the risks?
Then brainstorm all the risks or threats to your IT security – these include malicious attacks from viruses, hacking, employees stealing or deleting information, anonymous criminals and competitors, as well as accidental or negligent situations like losing a USB stick, having a corrupt hard drive or a mouse chewing through your cables. The risks might even come from your 3rd party suppliers – what do they provide in their service level agreements?
What are the consequences?
Then for each risk consider what impact they would have on your business such as loss of revenue, lost client work - and also what indirect consequences might occur, such as clients losing faith, damage to your reputation or the cost of your time in dealing with an incident.
What precautions can you take?
Work out how you can address and mitigate each risk – and put processes in place. How will you back up your data - and back up your back-up? How will you protect and update passwords? How will you store laptops overnight? How will you ensure you don’t let your website domain expire? Check what personal data protection legislation you payment card industry regulations you need to comply with. Ensure your staff are trained and have appropriate levels of passwords access to systems. You might want to consider:
- Keeping an inventory of all IT equipment and software.
- Physical security controls such as your office lock-up procedure, CCTV and locking away hardware overnight.
- Strong, up-to-date malware and anti-virus protection
- Using firewalls, proxies and access lists to protect your networks and Wi-Fi.
- Creating password protocols so that they are difficult to guess (certainly not the default password!) and updated.
- Monitor user privileges to minimize unauthorized access by ex-employees and suppliers.
- Encrypt sensitive data that is stored or transmitted online and delete data on any machines you dispose of.
And if the worst happens…
What is your recovery plan for each of these scenarios occurring? Who you gonna call? How quickly can you detect something going awry and acting to minimize or fix it?
Hopefully you will never know the major inconvenience and swear words emitted when IT goes wrong – but there is a lot you can do to protect yourself and reduce your chances of it disrupting your business.
For the budding detectives among you…
If you see anyone offering a Macbook Pro with the serial number C2QLN05CFFT0, C2QN204VFD56 or 14938001YP3 – they are ours! Please let us know or call the police.