You can’t create a security strategy without considering RISK.
Your business most likely takes in a lot of information from a lot of different places, even if it isn’t that digitally involved. If you have employees and if you bill customers (a safe assumption!) you will keep some details about them. Every point of data entry and storage is a risk point.
You can start to mitigate that risk by classifying the level of risk attached to each place your data goes to or comes from, analysing each risk point individually. This will take a while, so muster all the patience you can, get a big bag of doughnuts (usually helps – we call them sugar-dusted patience), map out where your risk is and detail how big or small it is.
Things to think about in this exercise are:
- Who has access to what?
- Does shared access mean shared passwords?
- Is data safe from loss?
- What training against cyber threats do employees at risk have?
Once you can visualise any and all risks, it may scare you, and if you already had cyber security worries, I’m sorry. It can only get better from here though!
Not all risk has to be mitigated. If it costs too much, the likelihood of the thing happening is very small or the system is non-critical, then maybe you can take that risk. The answers to these questions are always personal to the business.
Mitigation can take many forms – not always software or hardware, as training is a key element when creating a security strategy.
Other mitigation includes:
- A backup that includes automation, is off-site, is managed, is tested and (the essential step as stipulated by the National Cyber Security Centre), has an offline element that is independent of your systems and the influence of the running backup. Our backups meet all of the NCSC’s standards including retention, an offline archive of previous backups.
- Excellent anti-virus and anti-malware software.
- Monitoring software to check on the status of the company computers including updates.
- A file system that enforces authentication including MFA (click here to find out about MFA) and then uses that to enforce what that user can access.
- A logging system that records who accesses what and when – and who they shared files with.
Obviously we can help with all of the above. Clive, our CIO has an MSc in Cyber Security and actively manages and delivers our security and compliance work. To ensure we deliver only the best services to our clients our solutions are always about the client and their business goals, not about our systems. Clive is also a member of an international organisation that creates documentation and workflow templates using the international COBIT framework, which we share and then tailor to our clients’ needs.
Competent security, compliance and governance is all about you and your business, but it is nice to have a helping hand on your side – that can be us.
Michael
Michael specialises in Microsoft 365, data protection (GDPR) and has the most experience in the team with Mac computers. This is because of his creative background and history in media production which has him creating and editing the many videos / guides we record for social media or training packages.
Michael is always happy to fix people’s I.T. problems.
If you need a call from Michael to discuss anything mentioned in this article then please get in touch with me by email kamila@octagontech.com or phone our office number on 01522 797520.
Kamila
