top of page
  • Jeremy Thorburn

What Should Organizations Do To Protect Their Data?

Set the tone at the top. Data protection legislation goes further than simply asking the IT department to implement “appropriate measures”, it also adds many new technical requirements to an organisations data and the systems that contain the data. It expects a commitment to invest time and money, it requires ‘board level’ focus to manage risk and a shift in culture. In truth, data protection is as much behavioural as it is technological.

Expecting that systems, process and policies will provide enough security is simply put, naive. Regardless of systems implemented no one is safe from an attack or data breach.

The first step to better security in the organisation is employee awareness. Employees are the greatest asset when it comes to data security, and, not surprisingly, the greatest liability. Making employees think of cybersecurity and the role they play in the securing the data of the organisation is imperative.

Much like taking measures to secure your premises from intruders (burglars) with fences, bars, alarms and more; organisations are now expected to take similar measures to protect their digital assets; having an aware workforce puts more eyes and ears in the game. Emphasise data ethics, if it isn’t yours why take it?

Run awareness refresher sessions, make sure any and all changes to policy are well communicated and acknowledged. Call in guest speakers to chat with employees. Make awareness a key step when on boarding new staff.

The second key step is to draft data security policies. New systems, processes and procedures that are not under-pinned by solid policy-making, understood and supported by all concerned will remain weak, at best.

These policies must cover key issues such as:

Data Backup and Recovery

Setting up off-site storage

Document data management procedures

Test recovery frequently

Keep anti-virus, ransomware and malware protection software up-to-date

Run regular scans to confirm the validity of the protection software

Password management

Set down a password policy that combats:

Re-using passwords

Sharing passwords

Drive a minimum password length of eight (8) alpha-numeric with one ‘character’

Implement two-factor authentication wherever possible

Build a tightly secured network

Audit for default admin logins and passwords

Ensure, as minimum, SSL security is in place for web sites

Use strong encryption on all firewalls

Manage and monitor the use of external storage devices such as USB keys

Have a strong and clear approach to BYOD (bring your own device)

Keep operating systems and applications up-to-date

Never decline or postpone for too long an update from the OS or Application vendor

Once an OS, Application or Browser has reached end of life make every effort to get it out of the organisation

Limit the use of local admin rights

Regularly audit laptops for obsolete, no longer used user accounts – get rid of them

Thirdly, engage with third-party specialist cybersecurity and data protection experts. Cybersecurity and counter measures a fast-moving target, expecting in-house IT shops to keep up is a nearly impossible ask. Larger companies may setup a dedicated team of experts organisational cybersecurity as their focus, it will still be a difficult job for them to keep up. Setting up strategic partnerships with experts.

Third party specialists can help with understanding legislation in the context of the organisation, carry out audits and vulnerability assessments, assist with simulations (specifically data recovery), construct communication campaigns in the event of a breach and lastly, give Board Members the comfort that the measures being taken to secure the company data are not just adequate but tried and tested.


Commenting has been turned off.
bottom of page