It doesn’t matter if your business has 10, 100 or 1,000 members of staff, the need for a basic level of IT security remains the same. There are businesses that, by necessity, require a much higher standard of IT security, e.g. legal, financial services, executive search companies etc.
Your IT system’s security model can be broken down into a number of key areas:
Cyber Essentials (CE) is the most basic security requirement and every business should be up to CE standard. CE certification ensures an environment that puts IT security best practice in place, so if your business cannot do this, you already have holes in your security model! CE certification ensures user account management is up to par – passwords, patches, anti-virus, firewalls etc, so getting CE certification is an important and necessary step. If your organisation has achieved it, we think it is worth shouting about it!
Once CE is in place, your company needs to enhance it further. Start by controlling access into and out of your organisation’s IT system with:
It does not matter how good your technical measures are, you also need to make sure your people are fully aware of IT security issues, and are following guidelines to minimise the chances of accidentally allowing hackers into your system. Many hackers rely on user error by people who do not know how to recognise phishing attacks. It is the digital equivalent of someone in a boiler suit turning up at reception to say they’re here to fix the boiler – if they look the part, the likelihood is that they’ll be let in to the building, even if no-one was expecting them.
Good security also relies on good governance. If you have the rights checks and balances in place, you will gain credible protection against deliberate attacks. They will help you make sure no-one on the team has the opportunity to behave inappropriately, and that the management is satisfied that any requests are genuine and justified.