New IT security guide for SMEs launched

A new guide aimed at helping small and medium sized enterprises (SMEs) make their IT systems more secure has been launched by the Information Commissioner's Office (ICO).

The guide includes a series of practical steps that small businesses can take to ensure their IT systems are safe in order to prevent serious breaches of data.

The ICO - the regulatory body responsible for data privacy and enforcing the law against unlawful processing of personal data - can impose a monetary penalty of up to £500,000 if certain information, such as personal data, is breached.

It has issued over £1.5 million in penalties since November 2010 to organisations who have failed to take necessary measures to keep people's information secure.

The ICO said the guide had been geared towards SMEs in recognition that they often lack the resources and information to implement a suitable security strategy when compared to larger corporations.

The guide includes a checklist as well detailed advice on physical security, securing data on mobile phone devices and anti-virus defences.

It advises businesses to assess and review potential security risks, and use a layered approach to security in order to mitigate the failure of one system. This could include:

  • Physical security - i.e. servers and back-up devices kept in a secure room
  • Anti-virus software - this should also be kept up to date
  • Intrusion defence - such as a well configured firewall so that only certain information can be seen by third parties
  • Access controls - restrict access to secure users who must use usernames and passwords
  • Employee awareness - all employees should be aware of their responsibilities in keeping data secure.

Information Commissioner Christopher Graham said: "While we recognise that the biggest companies and organisations will have many of these strategies already in place and have spent a great deal of money on securing their IT systems, smaller enterprises often tell us that they would benefit from simple and clear advice specifically designed for them.

"This guide aims to support these companies by providing a starting point and recommendations that cost little to adopt, but can significantly reduce the risks of a serious data loss and the reputational and financial damage that can result."

The Federation of Small Businesses' policy chairman Mike Cherry welcomed the publication, saying: "Good IT and data security should be part and parcel of good business practice and businesses should think about the simple steps that they can put in place to achieve this. The guidance should help businesses do this."