Plan Your Risks
No system will ever be 100% secure so it’s advisable to include information security as part of your normal business risk management procedures.
Here’s a step-by-step approach to information security risk management:
- Consider whether your business could be a target and the level of risk your business is exposed to.
- Determine whether you need to comply with personal data protection legislation and Payment Card Industry compliance.
- Identify the financial and information assets that are critical to your business, and the IT services you rely on, such as the ability to take payments via your website. Define what would constitute a major event for your business.
- Assess all the IT equipment within your business, including mobile and personal IT devices. Understand the risks to all of these things by considering how they are currently managed and stored, and who has access to them.
- Assess the level of password protection required to access your equipment and/or online services by your staff, third parties and customers, and whether it is enough to protect them.
- Ensure that your staff have appropriate awareness training, so that everyone understands their role in keeping the business secure. Share your plan so everyone knows what is required of them.
- Identify where you could go to for support in the event of an attack.
- Define what your recovery procedures would be, and how you could keep your business running, particularly if you trade online. Who would you need to contact, would you need to notify customers or key suppliers?
- Consider cyber insurance to mitigate against any impact resulting from a cyber attack.
Source of Information
Information taken from the HM Government publication “Small businesses: What you need to know about cyber security”
Reproduced under the Open Government Licence