Given the recent publicity about breaches to data security, you may think that outsiders pose the biggest risk to your business. But the real data security threat may lie much closer to home…
Data security facts and figures
Nearly three quarters of small businesses suffered a security breach last year, according to the latest government figures. They reveal that the average cost to a small company of a major security breach is between £75,000 and £311,000.
The sums involved are eye-watering and potentially crippling for small and medium-sized firms. So it’s no surprise that organisations of all sizes are now starting to take their data security much more seriously. But for many smaller businesses it’s not outsiders who pose the biggest threat to their data security, it’s their own staff.
The data security threat posed by staff
Nearly one-third of smaller organisations questioned for the government’s 2015 Information Security Breaches Survey said they had suffered a staff-related breach in the last year.
A disgruntled serving or former employee can easily wreak costly havoc if they leak valuable information to your competitors or sell it to criminals. Half of the worst breaches, however, were caused by human error, such as an employee losing a company laptop containing unencrypted data.
That’s why it’s crucial to have a robust data security policy for your business and restrict staff access to information on a need-to-know basis. Your employees should see only the information they need to do their jobs.
In our experience it’s quite common for everyone in a small business to have equal access to all the company information. We often find that the password of the business administrator – who has full access to systems and databases – is widely known and used by the other staff.
But you wouldn’t leave a filing cabinet containing sensitive information unlocked for all to see, and your data security should be no different.
Data security basics
As well as controlling access, you need to train your staff about data security and the importance of keeping company information safe. That means ensuring they use strong passwords with upper and lowercase letters and numbers – and keep them secret.
Your computer usage policy should spell out how staff must behave when using company equipment and the rules for working on personal devices. You should ensure that data on company laptops is encrypted; there are several free tools available to enable you do this such as BitLocker.
Also make sure you know who has access to your company website, third-party websites and bank accounts. You don’t want to find out that a former employee has been ordering from one of your supplier’s websites with your user account details.
When someone leaves the company you should terminate any accounts and passwords that are no longer in use. That includes login details for social media accounts including your business Twitter, LinkedIn and Facebook pages.
You would always make sure that a former employee handed back their office keys and any equipment, and access to company data is no different.
And ensure you have strict rules relating to company data written into your employment contracts. Otherwise there’s nothing to stop a former employee joining a rival firm and taking your customer information and company secrets with them.
The best IT security in the world won’t protect you unless your staff understand that they have a responsibility to keeping company information safe. But by educating them and controlling access to data, you can reduce the risk of a costly security breach.