The growing complexities and maliciousness associated with the evolving IT landscape can be troublesome for any company. Small and medium-sized businesses (SMBs), however, may be even more susceptible to a data breach because of limited financial and knowledgeable resources. It is therefore important that decision-makers learn as much as they can about cloud computing, mobility and other IT innovations that are disrupting the private sector.
A new guide by the U.K.'s Information Commissioner's Office (ICO) was developed with the intention of helping SMBs navigate the increasingly complex IT environment without succumbing to any data security vulnerabilities that would expose an organization's sensitive records.
The guide recommends decision-makers follow the "seventh data protection principle," which states that all appropriate technical and operational measures must be taken to ensure the privacy and protection of personal data.
Seventh principle in practice
"While we recognize that the biggest companies and organizations will have many of these strategies already in place and have spent a great deal of money on securing their IT systems, smaller enterprises often tell us that they would benefit from simple and clear advice specifically designed for them," Information Commissioner Christopher Graham said.
The first step toward enhancing IT security is assessing the risk landscape and how it is relevant to a company, the guide says. Decision-makers must first understand what types of personal information their organizations have and where data is located. IT managers also need to reevaluate how a firm collects, stores, leverages and disposes of sensitive information to ensure it doesn't breach any regulatory or legal compliance requirements.
Once a company knows what information it holds, decision-makers can implement robust security tools to keep it safe. IT executives need to take a layered approach to data protection, which includes physical defenses, like access control systems, to keep out intruders and thieves. The security program also needs to include antivirus software, intrusion detection solutions that can alert individuals if a breach is occurring and employee training programs, the guide says. With the advent of BYOD (bring your own device) and social media, organizations may also consider taking a data-centric approach to security, which protects the data itself rather than the platforms and devices on which is it stored or traverses.
Safeguarding mission-critical information and data requires time, resources and expertise. Decision-makers should not be fooled into utilizing a one-size-fits-all approach, as each organization has specific needs that must be met, the ICO said. These measures don't need to be expensive or difficult to deploy, as many solutions are free of charge or are already being leveraged in the company; it's just a matter of reorganization.
Encryption tools remain important
An important aspect of all data security programs is the proper use of encryption. According to a separate report by TechNavio, the global market for encryption software is forecast to expand at a compound annual growth rate of 13 percent through 2014.
"Previously, companies used to opt for full disc encryption software, which protects unauthorized access to data storage and everything on the disc including programs," TechNavio said. "This gradually changed when vendors introduced file level encryption solutions. This shifted the focus to an emerging trend of data security."
ICO recognizes the large market for encryption tools and recommended decision-makers choose whichever solutions best fit their organizations, as the basic function of all cryptography services is to keep out unauthorized individuals. However, it is necessary that IT executives train employees on the importance of these solutions and how the improper use can lead to vulnerabilities. ICO said individuals should use complex encryption passwords that contain a variety of characters, numbers and symbols.
A large problem with SMBs is that decision-makers overlook the fine details of security policies, ICO noted. By planning ahead and deploying the right strategies, organizations can ensure their sensitive files remain as protected as possible.
Data Security News from SimplySecurity.com by Trend Micro