On 16th January 2016, the UK Information Commissioner’s Office (ICO) published a useful advice note on IT security advice for small businesses, called “A Practical Guide to IT Security”, a copy of which can be found here. It is well worth a read for all owners and senior managers of small businesses, however tech savvy they may be as individuals because it addresses the key legal and security requirements faced by small businesses, in a way which should enable those owners and managers to put in place robust IT security policies and procedures, which even the least tech savvy employee are able to understand and follow.

The advice note is divided into ten sections, which all contain sensible common-sense suggestions about how to evaluate the IT security risks faced by your small business, and put in place procedures to protect your business’ data and systems.

Section 1 invites small businesses to work out what data they have and therefore to understand what sorts of risks need to be addressed going forward.

Section 2 addresses the question of the secure configuration of internal IT systems and networks.

Section 3 looks at ensuring that the data used by your business is not only secure in the office but also when it leaves the office, whether via employee laptops or memory sticks, or by post or email to a third party.

Section 4 contains IT security advice about data stored in the Cloud.

Section 5 addresses the importance of data back up and the security issues to be addressed when making and keeping data back ups.

Section 6 looks at how staff can be trained to work in a way, which better protects the security of the business and its data.

Section 7 has some useful advice about how to spot IT security issues, bearing in mind that many IT and network security breaches may go unnoticed for a period of time, particularly in a business where there is either no dedicated IT support or only reactive “break fix” support for IT and network issues.

Section 8 gives advice about putting in place written policies and procedures on IT security suitable to the needs of the relevant business, which staff understand and follow.

Section 9 is about not keeping more data than you need to. The advice note makes the point that the less data you have, the less there is that can be stolen or compromised, which is always an up-cheering thought

Section 10 makes the connection between a business’ internal procedures and the procedures followed by any external IT support used by the business. If the internal procedures of the business are good, it will be that much easier to ensure that your outsourced IT support folks work to standards, which you know meet or exceed your legal obligations and properly address your business priorities.

If you are interested in putting in place an IT security policy for your business in compliance with English law requirements, or need legal advice about the UK data protection or data retention frameworks, please contact Katherine Evans at katherine@mirkwoodevansvincent.com