Either from an enterprise CIO perspective or an SMB’s owner, keeping your company’s resilience entails taking many aspects into consideration, including the legislation to be compliant with and the real blackhat threats out there.
In the already chaotic 2020’s scenario for the construction market, data protection is not less of a risk for business continuity. Maintaining the information you have about your clients, projects and the business itself secure is an extra challenge today. Either from an enterprise CIO perspective or an SMB’s owner, keeping your company’s resilience entails taking many aspects into consideration, including the legislation to be compliant with and the real blackhat threats out there.
Information technology security has 3 basic pillars: confidentiality, integrity, and availability. This means your data needs to be accessed only by the people who need it to perform their work, known in the IT market as the "principle of least privilege"; it needs to be truly assertive, not damaged or corrupted and available to those people when and where they need it. These 3 pillars keep being needed during a crisis like the COVID-19 one, if not even more.
Commonly one may think that your company is not a target and therefore will not invest in this because other issues are more urgent. The misconception here is that however, your company may not be a target by name, blackhats target companies that are not taking care of their security and will be an easy target because of that. You do not need any scandal now nor clients and governments claiming you broke the General Data Protection Regulation (GDPR), even less you need someone blackmailing you for a few thousand Euros, Dollars, or Pounds to give you back your project’s information.
More than ever you need your data to keep your business flowing with fewer limitations as possible to overcome the current crisis. You certainly do not consider paying blackmail if it happens as you can not trust a blackhat hacker to keep their word and losing your clients is out of the question. This brings you back to the initial premise that you need to find solutions for your business data.
We can assume that if you do not feel at direct risk, you would like to find a solution that will demand fewer resource investments from your side, in time, money, and personnel. A good start is to pay closer attention to your processes and the software you use to process and store data. Here are the first questions you need to ask yourself or other departments’ team:
Does your company have internal access policies to the information?
If the answer is not crystal clear, most likely the answer is no. When all your employees have access to any data you dispose of in your company you have a huge liability that may compromise all the 3 IT security pillars. Rethink this and consider applying even a simple policy - any will be better than none and it will only require some organization from your IT team and managers.
Where does your company store the data? Who has access to it? Do you have any layer of protection?
Is the information into different computers or properly stored at your company’s network? Do you filter the access to it by department or again everybody has access to it? Is this storage protected somehow? These questions will bring you a better overview of the basic security level you are providing your data or how much you are lacking.
Are the software your company uses safe? Do they claim their responsibility to follow the GDPR and other needed legislation?
Knowingly there is no 100% security, but there are responsibilities to be taken. As well as you assure your clients about the work and products you provide to be safe and good quality, the same must be done by your providers, IT ones included. Usually, they have a security statement on their website and many times also at their contract.
What kind of passwords are allowed at your company? Are they strong enough? Are they properly stored?
Finally, nothing will be safe if your employees use easy passwords to be broken such as 12345678, birthdays, names among others. Moreover having a digital file with all the passwords stored is as much as a liability. Educate your employees on basic care such as how to create a strong password and you will reach another level of security.
Those questions might not be easily answered even less easily implemented, but surely they are worth your attention and time. If you still do not see the point, find someone who had IT security problems before and hear what they have to say. If they did not go out of the business, they certainly are investing in more security levels then this article just proposed.