31 Jan, 2018
If you have ever wondered whether ISO 27001 is suitable for an SME, in our recent article we explain why is certainly is……
For far too long, information security has been seen as the responsibility of the IT department, however big or small that might be. Now, in these days of portable storage, laptops and smart phones, this outdated view puts an organisation’s data – and its reputation – at serious risk.
Here’s ISO Quality Services’ five point guide as to why information security should be the responsibility of everyone in the business.
Laptops and peripherals are like spare keys
You always know where your main keys are but it’s all too easy to lose track of any spares. It’s the same with data. You know where your main body of data is stored, but all over your organisation will be little pockets of data that have been forgotten about, perhaps in unused folders, on unencrypted memory sticks, on smart phones or on laptops themselves. These pose significant risks. Although your customer mailing list data on that old memory stick may be a year or two out of date, you shouldn’t underestimate how much interest it would be to a competitor or how much damage would be done to your reputation if the data was released. That’s why it’s vital your organisation audits the way data is held and take steps to minimise these risks.
Did you know: Even security professionals can struggle to keep track of their data. In October, the Telegraph revealed that Heathrow Airport’s secret security planning files had been found on a memory stick in a London Street and freedom of information requests in 2016 revealed that one item of MoD equipment, including laptops and flash drives, goes missing every day on average.
Small doesn’t mean insignificant
Even vast amounts of data can be made to look small and therefore seem insignificant. If you saw a new starter repeatedly struggling out of the door with armfuls of customer files to load into their car, you’d be on high alert. Yet the same person can easily take the same amount of digital data out of your organisation on a memory stick or via a transfer site without you even realising. Drives should be restricted to those that really need access and not shared widely as a matter of course. Policies and procedures help reduce risk and staff should be frequently trained in the importance of safeguarding data.
SMEs get attacked too
It’s tempting to assume that larger companies are the sole target of cyber attacks, but a recent survey revealed that almost one in five companies employing under 100 people had been hit by a cyber attack of some form in the previous 12 months (British Chamber of Commerce survey of 1,200 businesses in 2017). It’s a staggering statistic. You can imagine the increase in security measures your organisation would put in place if it was revealed that 18% of businesses on your road had been subject to an attempted break-in during the previous year. The alarm systems would be checked, the number of keys in circulation reduced and your colleagues would be reminded about locking doors and windows and being vigilant. So why treat one of your biggest assets, your information, with less care than your physical possessions?
Backups don’t always cover your back
IDC Research have found that a staggering 40% of SMEs overlook one of the most common causes of data loss – equipment failure – and fail to back up their data at all. This head-in-the-sand approach is extremely risky as is failing to regularly check that your backups conducted are fit for purpose. Worryingly, IDC also found that 40-50% of back-ups are not fully recoverable and 60% of data may not be backed up at all as it’s held on desktops and laptops rather than servers. In these days of fast broadband and cloud storage, is there any excuse for not having a robust back up procedure?
Data loss is a fast way to achieve early retirement
Across the globe a hard drive fails every 15 seconds, many with catastrophic results. The British Chambers of Commerce ICT Report established that half of the businesses that suffered a data loss for more than ten days filed for bankruptcy immediately and 93% filed within a year. Once data has gone, it’s too late to invest effort into effective management processes. As with insurance, you need to have the foresight to protect yourself for the future otherwise your business won’t be able to operate after losses due to viruses, software corruption, back-up failures, natural disasters or hacking.
At ISO Quality Services Ltd, we have a sure-fire way for an organisation – no matter what its size – to prove that it recognises the value of its information and has taken robust measures to prevent data loss. To find out more about the independently-assessed Information Security Standard (ISO 27001), call our Client Services Team on 01905 670303 or visit our website.
British Chambers of Commerce research: http://www.britishchambers.org.uk/press-office/press-releases/bcc-mainly-big-business-hit-by-cyber-attacks,-but-all-need-to-improve-security.html
IDC research quoted on Workspace: https://www.workspace.co.uk/community/homework/technology/opinion-what-is-the-true-cost-of-lost-data-to-bus
ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.
Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.