When asked what information they didn't think was sensitive, answers included employee details, emails, supplier information, customer details, company financial details and details of new products, services and ideas.
A good way to determine what information you need to protect is to list out all your business information. Then consider if there would be an impact if they were in hands of a criminal or a competitor, or if it was not available for several days due to your place of work being unavailable. Where there is an impact, you need to take measures to protect it. Measures can include applying software patches, making (and testing) backups, securing paper records, training staff in spotting 'phishing' emails that can install malware on your computers etc.
Here are some examples of information held by a typical small business.
- Emails with business information
- Personal emails send by staff using company email system; possible impact as emails include company footer, and this could imply the company supported personal comments
- Company financial details, including how to access bank account
- Employee details, on paper and on computers
- Website; there would be an impact if a criminal got access and used the website to deliver malware to people that viewed it
- Twitter; there would be an impact if a criminal got access and put up links to malware or made offensive comments