The following six principles are centred around a hypothetical scenario of how somebody could access or steal your organisation’s sensitive information:
How would someone gain access to the site itself?
If they did gain access, what devices would they find?
What information is on, or accessible from those devices?
How easy is it to access that information?
How are those devices used day-to-day?
What happens in the worst case scenario?
With those steps in mind, we have included recommendations for each area which will be relatively easy to implement, without requiring significant investments of time, resources, or money. IT security is not always about buying the latest, fastest, most expensive solution. It’s more often about changing the day-to-day behaviours of users and staff to close common loopholes. Furthermore, awareness of these risks alone is the first, and perhaps most important step, to begin controlling them.
1. Physical Security
The first point of access to any organisation’s IT system is how easily individuals can access the site itself. Denying any unwanted or unauthorised personnel access to the hardware and data stored on site in the first place drastically reduces their ability to tamper with critical systems or steal sensitive information.
Visitors should be considered “unauthorised” by default. Access should only be granted once an authorised member of staff approves the visitor. Whomever approves each visitor would be responsible for them throughout the site.
Sensitive locations should be secured when left unattended.
2. IT Hardware
IT Hardware likely poses the greatest overall risk to the organisation, particularly the vulnerability of its information stored on these devices. Although through a handful of relatively minor fixes this risk can be substantially mitigated to a far more manageable level.
The biggest gains in this area are made with relatively minor changes to day-to-day behaviour:
Turn on automatic updates on all devices - turn each device off at the end of each business day to ensure updates take effect.
Require a unique login to access each device, ensure the login is required after 5 minutes of inactivity.
3. Record Keeping and Storage
Ease of access to sensitive information will be covered by a combination of physical security, hardware, and account security. What those three areas don’t guarantee is protection from loss or corruption of data. It is essential that your data is backed up in some capacity. Ideally this will involve both local and cloud-based solutions to ensure redundancy and accessibility for disaster recovery.
Many organisations also have a backlog of physical records (e.g. paper filing) which is kept onsite for regulatory or compliance purposes, but rarely given a second thought. Scanning these records to create a digital copy can free up physical space and more importantly create a backup of those records as well.
4. Password and Account Security
Simple, but by no means easy, creating unique, robust logins for all users is an uphill battle for most organisations but a critical step to creating a secure environment. To create more secure logins, increase the length and complexity (adding symbols, or non alpha-numeric characters) of the required password, this can be done by the administrator for each system. These login details should also be applied across all devices, including any personal devices used by staff.
Logins should not be shared whenever possible, even if these systems are deemed ‘non-critical’, because knowing a single password to an unimportant system can provide an avenue into more important systems, especially if those passwords have been reused.
5. People
Having well configured IT hardware, a strong network, and disciplined security procedures for account security and storage would all be for naught if no one is trained to use or maintain them. Conversely, having well trained staff with a working understanding of IT basics is perhaps any organisation's greatest strength when it comes to improving their IT security. This area is also critical to maintaining the improved level of security achieved by implementing the previous recommendations.
While the first four areas are relatively straightforward to implement, this section will require a greater investment of time and resources to see meaningful results. How an organisation implements this in practice can look very different, depending on the specific needs and vulnerabilities of that organisation.
6. Business Continuity
However unlikely it may be seen, your business should always be prepared to respond to a “worst case scenario”. Having a well-defined course of action to still access your critical data, or respond quickly in an emergency can be the difference between the business surviving or being forced to close.
This will include at minimum a disaster recovery plan and a business continuity plan and should be drafted within the framework of your organisation’s Risk Management Strategy.