When was the last time that you checked that your security measures were working?
Security measures vary a lot in complexity and technical requirements. You might need to check that no-one can sneak in to your business through an open and unguarded back door. Or you might need to organise a team of penetration testers to test your online applications for vulnerabilities.
The first step in establishing your security measures would be to identify what cyber risks your business faces. Not all businesses face exactly the same risks (though there is likely to be some similarity). Then you should decide how you will manage those risks.
What you need depends on what you do, the size of your business, and any specific risks that you face. It will also depend on your budget and how much risk you are prepared to take.
Examples of security measures
A couple of examples:
There are services that will monitor your website to check that nothing has changed, no-one has added malware, and the site is still up and available. They will notify you if there is a problem; or they may fix it for you. They might remove the malware and restore a clean, working backup for you. The more you pay for these services, the greater (and quicker) the support if there should be a problem. If your website is essential to your business, paying for additional support, and a very frequent check, might be worthwhile. If most of your work comes by word of mouth, or via walk-ins, then your website is probably less important.
Your business might be based in a risky neighbourhood. So you might decide to add additional physical security measures, such as locks, alarms, cameras and physical barriers. Or you might not be worried about physical security because you work in an office environment with security guards. But you are worried that someone might intercept your communications with your clients. And so on.
How often should you check?
Whichever security controls you decide on, once you have them in place, you should test them every so often. The frequency of this check will vary depending on the control, and on the level of risk that each control is mitigating.
That website check, for instance: if all your income comes via the website, then you may want to check that it is available to your potential customers very frequently indeed.
You might decide to do an unannounced check that all sensitive information is locked away at the end of the day every so often—perhaps once a month or so.
But you probably don’t need a daily check that your employees completed their security training.
Whatever controls you have, though, and whatever the frequency of check or test that you have decided on for each control, you should set a reminder to do that check, and then follow through. It is important that your business is still as secure, months later, as you decided was appropriate to start off with.
Want support in assessing your business risks, in determining the appropriate controls, or in developing a plan to check those controls? Call 0113 733 6230 to find out how we can help. Or you can use our contact form, if you prefer—we’ll get back to you as soon as we can.