GDPR Cyber Security

You need to find a balance between how secure your data/network is and how useable it is. The most secure computer is the one you keep in the box and never turn it on. The least secure is the one you take out of the box and start using straight away. Neither scenario is good – you need to find a balance between the two.

There are 2 categories of threat you should be aware off. External (virus/malware or hacking) and the one everyone forgets about – Internal (staff, users, visitors and disaster!)

Internal Threats
Passwords – These are your first line of defence. They should have a degree of complexity. Too simple means too easy to guess/share. Too complex or changed too often and you run the risk of people writing them down. You will have spent time securing your files and folders so only relevant staff can see the data they need to see. If everyone in your office uses the same password then you might as well not bother having them at all.

Screen Locking – You should implement automatic screen locking after a period of inactivity. This prevents someone else using your computer if you leave your desk.

File and Folder Permissions – Everyone in your organization should know WHERE they are supposed to save their work (preferably in a location which is being backed up!) You should then apply security to these files and folders to ensure only relevant people have access to the files they need to see.

Application Passwords – You may use other software in your business which requires staff to login i.e Sage Payroll/Accounts or other database software. You should check that users are not sharing passwords to these applications and if necessary review the internal security settings.

User Education – This is by far the cheapest way to improve security on your network. Users should be made aware of what you expect from them, where they should save their files and appropriate computer use rules. This should be covered in your “Computer Use Policy” or “Information Security Policy”. You should also educate users that the computer they are using is not their personal property, it is a business asset and should be treated as such. There should be no unauthorised software installations and they should be careful which websites they visit.

Software Audit – You should know what software is installed on the computers on your network. Is someone eating up your broadband bandwidth with Spotify? Is someone playing games? In many organizations computers get recycled down the way; when a computer is moved on to a new user you should ensure any software not needed by the new person is removed. This helps prevent unauthorised access to data. We can provide you with software to do Software Audits. It’s an ongoing task I’m afraid, not something you can do once and then forget about.

USB Sticks – Are people moving your data out of your organization on USB sticks? Should they be able to do this? Also think about USB sticks coming into your organization, they should be virus scanned before opening any files. We can help you block access – if you have good anti virus software you may already have the power!

External Threats
Websites – There are a lot of infected websites out there. People should be careful when browsing the internet and even more careful when downloading anything.

Hacking – Someone is only going to actually “hack” you if they have something to gain. It takes time and patience (it’s not like it is in the movies) unless of course you have really simple passwords and have given them a head start! More likely they will gain access to your network through a virus.

Virus/Malware – These will come into your organization in a variety of ways; email attachments, email links to dodgy websites, USB Sticks etc. You need GOOD anti virus software. Free AV is not recommended as the person writing the virus has more then likely got a copy of the same Free AV and has made sure their code will get passed it! It’s also not enough just to have it installed, you need to know that it is working. Contact us if you need advice about your Anti Virus software.

Phone Calls – Staff should be wary of people phoning in claiming to be from the bank etc. We won’t discuss much more about this other than to have it listed so you know it’s something you need to consider when dealing with your staff education.

Wi-Fi – First of all DONT TELL PEOPLE THE PASSWORD. If you don’t tell them the password, they can’t tell someone else! If someone needs to connect to your Wi-Fi – type the password in for them. Secondly, if you have visitors or guests using your Wi-Fi then it should be split into secure and guest access. This keeps them away from your wireless printers and means they can’t see what other devices (servers, PC’s etc) you have. Be aware that people can get access to your network traffic, files and folders over the Wi-Fi using nothing more complicated than their phone! Please contact us if you need advice on securing or splitting your Wi-Fi.

To summarize; you need to protect yourself, your network and your data. If data moves out of the office then it should be encrypted. Windows Updates (although a pain) are essential, as they address critical security holes and bug fixes. You should be on the latest versions of software that you can be (in case it breaks and you need to replace it as well as older software being nowhere near as secure). Finally you need a Disaster Recovery Plan. This should cover services you consider critical to your business. Phones, power, IT Systems (ones you can’t live without) etc. should include insurance information and emergency contacts. Check out our GDPR Software Solutions page for more info or give us a ring to discuss how we can help you.