It's crucial that you protect vital information your company holds, including customer details and financial information. If you don't you could risk your reputation, lose current customers and future business.
Effective data security involves understanding what data you hold, how you store it and use it. You need to put in place good data security procedures, including a backup routine.
1. The data you hold
Data protection is crucial for every business. To assess the risks, you need to know what data you store and use in your company.
If the data you hold includes personal data (and it almost certainly will), carry out regular data protection audits, to get an overview of the data you use, how well it is protected and how you are complying with data protection legislation, including GDPR.
Establish what data you store in your business
- Many businesses store information across multiple systems and in different locations.
- Think about the data you hold on central servers as well as information stored on laptops, staff computers, tablets and smartphones, and memory sticks. You may also have data on social networks such as Facebook.
- Consider data stored in the cloud (for example, on a service like Dropbox) and whether or not it is synchronised with one or more computers within the business.
- You may store data within your CRM or project management systems - most commonly in the form of file attachments.
- Build the most comprehensive list of data possible. Make sure you record where data is stored and who has access to it.
- Ensure that you clearly differentiate between personal and non-personal data. Personal data will be subject to the requirements of the General Data Protection Regulation (GDPR).
- Remember to include information stored outside of your business. For instance, your website is probably held on a server owned by a third-party hosting company, and you may use an external server for email or file storage purposes.
Examine how valuable this data is
- Protecting business-critical data such as financial accounts and customer information is vital. If lost, it can seriously damage your business. You will want to give most protection to this data.
- Customer records and their accounting and financial data is vital and you must protect it by law.
- Business-critical data may also include employee records and valuable market intelligence.
- Personal data may or may not be business-critical, but a data breach involving personal data could be extremely costly to your business. GDPR legislation (retained in UK law even after Brexit) gives regulators the power to issue substantial fines of up to 4% of global turnover or €20m in the most extreme cases.
Look at how you use this data
- Consider who has access to the data and how often it is accessed or changed.
- Some data may be in constant use by many employees. For instance, your customer database.
- Other data, like staff records, may be accessed infrequently by only one or two employees.
- Think about how data is transferred. Is it sent by email, streamed online or simply moved on flash drives? What kind of security measures are in place (is it encrypted, for example)?
- When using online storage services such as Dropbox, consider how many computers, tablets or smartphones have access to the account, as it is likely some of them will keep up-to-date local copies of the files, too.
Build up a comprehensive list of data stored in your business
- For each type of data, you should know where it is stored, how often it is accessed, and who uses it.
- In the case of personal data, you should also keep records of how it was obtained, for what purpose, on what legal basis (an individuals' consent, for example), and for how long it will be kept for. You must be able to demonstrate compliance, so record everything you do with respect to data protection.
- You can use this list to pinpoint risks in the way your business handles data.
- Once you've identified any issues, you need to put a plan in place to secure this data.
Your legal obligations
You must comply with the GDPR
- The GDPR aims to ensure personal privacy, by giving individuals rights with regards to the information organisations store about them.
- The UK has adopted GDPR rules and regulations after Brexit.
- Most personal information your business holds is subject to the GDPR. Even that which might not immediately identify someone (data that has been pseudonymised, for example) may still qualify as personal data if it can be used to identify an individual (when used in combination with other data). Online identifiers such as IP addresses also qualify.
- If you hold personal information, you will have to pay a fee to the Information Commissioner's Office (ICO).
- There are some exceptions to this, but the process is straightforward.
- All businesses and organisations must comply with six key principles of data protection and protect the key rights of individuals under the GDPR.
- The GDPR is very similar in many ways to the outgoing Data Protection Act, but it covers a wider range of data and makes both data controllers and data processors more accountable.
- If you breach the GDPR, you could be liable for significant penalties and fines.
You can get more information about the GDPR
- Find out about your data protection obligations from the Information Commissioner's Office.
2. The dangers
You could lose or damage your data through human error
- It is easy to change, edit or erase data accidentally.
- For instance, a staff member could delete a crucial list of customers by mistake.
- Look for software with undo and rollback functions to minimise the risks posed by human error.
- If employees make mistakes don't blame them or punish them. Seek to understand what went wrong and ensure it doesn't happen again.
There are physical threats
- Hardware failures, such as a broken hard disk, can result in the loss of crucial files.
- Losing a personal storage device such as a USB drive, or a mobile phone or tablet could result in a serious data loss.
- A natural disaster could destroy a server holding key business information. For example, a fire or flood in your business premises.
- Theft of company computers or mobile devices can result in data falling into the wrong hands or being lost forever.
You could suffer a data breach online
- Malicious hacking by individuals or organisations seeking to gain information is a serious risk, particularly for companies that hold sensitive data.
- Some computer viruses erase files. These usually infect company systems through the internet, via a downloaded file or email.
- Other malware (malicious software) like trojans and spyware may read your data and transmit it across the internet or wipe it completely.
- Ransomware is now a common threat, where hackers steal vital data and issue a ransom for its safe return.
- Make sure you follow good online security practice. Use security software and keep all software up to date. (Even non-security-related software such as Microsoft Office receives regular security fixes to protect it.)
You could be a victim of malicious action by an individual
- Anyone with access to your data could copy, steal or delete it.
- For instance, a disgruntled employee could steal or sell your customer database to a competitor.
- Access control is a essential in reducing this risk. See Data use.
3. Data storage
Having a secure system to store data is critical for every business. Some storage methods are more secure than others. Consider how your data is stored, where your data is stored, and how safe it is.
Storing data centrally is generally most secure
- You should consider storing business-critical data on a central server.
- Having data in a single place reduces the risk of theft. For instance, the risk of data being stolen is reduced because it is not stored on employee laptops or other mobile devices.
- However, having data in one place means there is a single point of failure. If your server breaks, or cloud storage service ceases trading, your data could be inaccessible.
- To guard against this, consider mirroring the information elsewhere. Your IT supplier can help with this.
- You will need to provide a secure way for employees to access and use this data.
In general, the risk of data loss increases the more places the data is kept
- Discourage employees from saving important data on their own computers. If they do, a single laptop theft or virus infection could be disastrous.
- Instead, provide a central filing system - either on-site or cloud-based - and give each employee named folders on your server.
Be particularly aware of the risks posed by removable media
- It is easy to lose a flash drive, USB drive or other form of removable storage.
- A disgruntled employee could transfer your entire customer database to a flash drive in seconds. You can disable the USB ports on your computers to make this impossible.
Invest in multi-user cloud storage
- Sharing a single login for cloud storage services presents a serious security risk.
- Invest in multi-user cloud storage platforms by signing up to their business plans. These will provide users with their own usernames and passwords, much like you'd have on a local network, thus offering full accountability and greater security of data.
Wherever your data is stored, always take some key precautions to protect it
- Always back up your data regularly.
- Install up-to-date security software on all your computers and servers and scan regularly for viruses and other malware.
- If data is kept on a system connected to the internet, use both software and hardware firewalls to keep out hackers.
- Consider using encryption to protect your most important information. This scrambles the stored data and is much more secure than simple password protection. Microsoft Windows and macOS have encryption facilities built in.
- When using cloud storage, use two-factor authentication, wherever available.
- Remember physical security for in-house servers. Keep your servers in a secure room and use locks to keep laptops secure.
- Consider how you dispose of old equipment carefully. Data stored on the hard drive of a computer, tablet or smartphone must be erased before the device leaves the office for disposal and recycling. Where possible, use a secure method of erasing all data. For completely secure erasure of electronic data, the only guaranteed way of rendering data fully unrecoverable is physical destruction (including grinding a hard disk drive to dust), although this is unlikely to be necessary for the average business).
4. Data use
Only give each of your employees access to the data they need
- If your staff cannot access data, they cannot change or delete it – either deliberately or by mistake.
- Make sure every employee has access to the data they need to do their job.
- Limit access to critical systems and implement password protection to create an audit trail.
Use secure logins to provide different access levels
- Give each member of staff their own username and password.
- Microsoft Windows and macOS allow you to grant different access levels to different users.
- Make sure other business software allows you to set up staff logins too.
- Can your customer relationship management (CRM) software give different users different levels of access?
Mobile access can be a headache
- Providing a virtual private network (VPN) so employees can securely connect to your company systems from outside the business can provide high levels of protection.
- Consider limiting the types of data that can be accessed or used on mobile devices in your data protection policy.
- In situations where laptops are to be used for particularly sensitive or confidential work, consider using privacy filters on the displays, which limit the viewing angle - allowing the user to see what's on the screen, but not those either side of them.
- Staff should be instructed to always lock devices when they leave them unattended, even for short periods.
Have clearly-defined methods for transferring data
- Data is vulnerable when in transit, whether being sent across the internet or by post. Always encrypt important data before transferring it.
- Ask your IT supplier or web host to enable security protocols such as SSL and IPSec for transferring data on the internet.
- If you are transferring data outside your business, make sure you comply with all relevant data protection legislation, and that the recipient understands how they can use it. If personal data is being processed by a third party, a contract should be in place that clearly sets out the obligations of the data controller (you) and the data processor (the third party) with respect to data protection and compliance with the law as well as other important points such as liability and indemnity.
- Only hold additional copies for as long as necessary - whether inside or outside your company.
You may need to strike a balance between security and convenience
- Security is critical, but adding too many security measures may disrupt how your employees work. In these cases, they may find shortcuts or take unnecessary risks that can put your data at risk.
- For instance, employees with multiple passwords for multiple systems may write them down, ultimately reducing the security of those systems.
- To achieve a good balance, test out different security options and ask employees what they think.
5. Backing up data
Set up an effective backup procedure
- Backups are extra copies of data. You can use them to restore data if your working copy is lost.
- Store your backups off-site, away from the main copy of your data.
- Remember to keep backups secure too. Encrypt data, and store disks somewhere safe.
- Make sure you test your backup procedures regularly, to check that they work, and you know how to recover data.
Take backups regularly
- Back up your data every day. Modern backup services (both online and offline) offer real-time backups of files as they are accessed and modified.
- Modern backup services will schedule and manage backups automatically by offering incremental backup routines that provide multiple restore points for each file.
- If running backups manually, do so in rotation. For instance, when running daily backups, you might keep separate backups for each of the previous seven days. This allows you to roll back to a particular point in time.
- Regularly check that your system back-up process is working by testing it.
Choose a backup method that suits you
- Online backup services are now the most common and enable you to store your data safely in the cloud. The responsibility of maintaining regular, incremental backups is handed to the service provider who should also offer multiple restore methods should you need to retrieve your data at any time.
- Although less common, you can also backup your data to removable disks such as portable USB hard drives or USB sticks.
- You can use a RAID system to mirror your data onto several disks. This allows you to continue working in the event of disk failure, but you need to store offsite backups, too.
- You can carry out a basic backup manually. Just copy your files onto a cloud storage service (such as DropBox), a portable hard drive or USB stick.
- Microsoft Windows and Apple's macOS have backup functions built in. This is adequate for basic backups and provides quick restore methods.
Ensure someone in your business has responsibility for backups
- Give one person the task of ensuring your backup procedures are functioning properly.
- Make sure they report to you regularly, and test restoring from the backups at least once a quarter.
- Ensure they also have a deputy, who can cover for absences.
6. Effective communication
Ensure everyone in your business understands the importance of data security
- Secure systems and processes alone are not enough to keep data secure.
- Your staff have access to the data, so they must take responsibility for its security too.
- Involving them in the process and explaining to them the legal, moral and ethical reasons why data protection is essential is important.
Communicate the policies and procedures which cover storing and using data
- Your employees will have to work within the guidelines you set them, so involve them in the creation of these procedures.
- Ensure new starters read all policies and agree them before they begin work.
- Run practical workshops explaining why data security is important.
- Demonstrate how procedures should be implemented.
- Train employees in the basics of data protection law.
- If possible, make data security policies and guidelines available to all staff via the company intranet.
Seek feedback on how well the guidelines work in practice
- Review them regularly.
- Find out about your data protection obligations from the Information Commissioner’s Office (0303 123 1113).
- Read a guide to contracts with third party data processors on the Information Commissioner's Office website.