Protecting your data is your organisation’s responsibility, even if you outsource your IT to a third-party company. In some cases, your IT Services Provider may just be getting on with what you have asked them to do and you may not have not considered all aspects of what you might need to protect your organisation. With the current cyber security climate and GDPR looming, it is important to make sure that you are taking responsibility for your company’s data protection and security.
Why do you need to ask these questions?
If you experience a cyber security incident it can have severe consequences for your business. You could find your finances being hit and you could also experience damage to your reputation and data loss. In the case of data loss, your business could experience downtime which would have a severe impact on your revenue if you were no longer able to accept payments or take orders.
As previously stated, there is also the issue of GDPR. When the General Data Protection Regulation comes into play businesses that experience data breaches are liable for fines of up to 4% of their global turnover or €20 million, whichever is greater.
You need to start asking questions about your IT to make sure that you are protecting your business and its assets.
In this blog, we have put together the 7 major questions that you need to be asking your IT Service Provider and also your management team. This is not an exhaustive list of every security precaution you should take. It is a basic checklist to get you started. If you do not know the answer to a question or know that the answer is ‘no’ then you should act immediately.
Do we have a Next Generation Firewall?
A Firewall protects the perimeter of your network. It controls the traffic coming in and out of your organisation’s network and will stop things like malware. Asking if you have a Firewall is no longer enough. You need to make sure that you have a Next Generation Firewall in place. A Next Generation Firewall has something called deep packet inspection. Most of traffic that will come into your network will be encrypted and therefore will easily get past a Firewall no matter its contents. Deep packet inspection scans encrypted traffic. The best way to understand it is instead of just checking the address on an envelope it would check the letter inside as well.
Do we have an Anti-Spam solution?
Spam is unwanted and unsolicited email usually sent to a mass audience. Sometimes it can just be junk trying to sell to you and sometimes it can be more malicious such as a phishing email. A phishing email will try and extort information from you or will come with a dangerous link or attachment that could install Ransomware on your computer. An anti-spam solution will filter out most emails making your inbox a safer place to be.
Do we have a business-level Anti-Virus solution?
Viruses are harmful pieces of code that can destroy data on your computer and cause chaos. Anti-virus software will scan your computer to find any viruses and remove them. It’s important to not just ask if you have an anti-virus installed but a business level solution. Free is usually free for a reason and cheaper anti-viruses will not be effective. Make sure you are using something like e-set to ensure safety.
Do we have Patch Management?
Not updating software can be a critical issue for your security. Many of the organisations affected by the NHS WannaCry incident in 2017 experienced problems because they did not have software that was updated with patches for security flaws. Organisations that installed the patch that had been made available two months before were safe from the attack. You need to make sure you have processes in place to make sure you always have the most up-to-date software available. Make sure you ask your IT Provider what the situation is for your software updates.
Do we have a Back Up and Disaster Recovery Plan?
Sometimes the worst can happen no matter what precautions you have in place. It’s important to make sure that you have a back up and disaster recovery plan in place so you are able to get your business back up and running as soon as possible. You also need to check that you back up is being tested at least once a year to make sure that it is doing what it is supposed to. We once heard a story of a business who back up their data using tape. The IT Manager used to take it off-site on the tube every day and the magnetism was just wiping the data. There’s no point in backing up if it doesn’t work when you need it to. Make sure you ask your IT provider whether there is a back up and disaster recovery plan in place and whether it has been tested.
Do we have an understandable IT Policy?
This question is not for your IT Provider, it’s for your management team. You need to make sure it is very clear for your staff what they can and can’t do when using technology in the business. Your staff are your last line of defence when it comes to security so if they do not know what is and isn’t acceptable it could cause problems. If we’re being honest most people will not even bother to read an IT policy and if they do they won’t remember what was in it. We recommend having a one pager at the start of your IT policy that states clearly the most important things your staff needs to know.
Are our staff trained for cyber security?
We always say that end user education is key to protecting any organisation in the current cyber security climate. If all your precautions have failed, if one phishing email has slipped through the net, then it is all down to the decisions that your staff choose to make. Training your employees to be more vigilant and making sure they know what to look out for will help ensure you have good cyber security.
We have given you 5 questions for your IT Provider or IT Team and 2 questions for your management team. You need to make sure that they can be answered and in a positive way. If not, or if you’re still concerned you need to take steps to improve your security. If you need any help with this then please email us at firstname.lastname@example.org call 01675 469020. Remember, this list is not exhaustive and is a starting point. Call us if you need us.