The last few weeks have seen headlines about the massive data breach at Yahoo, a £400k fine for Talk Talk for their security issue, and several other stories involving hacked accounts and websites. It isn't surprising that many people feel overwhelmed at what they are being asked to do and have almost given up trying to protect themselves.
But what if you had an approach so you knew which warnings were relevant and needed to be acted upon, and those that were not as important? This works on the assumption that spending your time/money/resources protecting what means the most to your business reduces the main business risks.
Step 1 - identify the information you have. It is going to include client details and what you are doing for them, company financial details, business strategy, HR records and intellectual property.
Step 2 - work out which information would cause the most issues/pain if it were stolen, lost, taken over by a third party or not available. Maybe it would be personal details for clients or staff, this could lead to a fine by the Information Commissioners Officer. Or could it be details in your CRM system, emails with sensitive details about clients or your social media accounts or website. Assign value from 1 (critical) to 5 (not an issue if it was lost or was not available for a week) for each type of information.
Step 3 - take actions to make sure the priority 1 and priority 2 items are secure. You may want to include priority 3 items as well; it depends on your business. This could involve keeping sensitive papers locked away, using a different password for each account, enabling two-factor authentication (this send you an SMS text message to complete a login) for email and social media accounts and your website, encrypting data held in 'the cloud' or making sure backups are done every day. You may need to take advice on the most appropriate security methods.
When the next warning is issued, you can look at your list of priority items. If it isn't relevant, there is no need to take action...but you may still want to read it! And remember to review the priority allocated to each type of information on an annual basis.