Business Security

IT, as well as online security, is vital for organisations of any size. The alternatives include business interruption, poor legal compliance, impact on revenue, compromised reputation or, at worst, business failure. Therefore, you need to take a systematic approach to security and the first place to start is to compile and implement an effective business security plan. 

Get Safe Online's top tips... If you do not already have a business security plan, compile and implement on as soon as possible. Your plan should be reviewed regularly in line with your changing business needs, market conditions and evolving threats. 

Writing and implementing a security plan does not have to be a daunting task. A good plan today is better than a perfect plan tomorrow, and it can always be updated and refined later. 

What to include (this is not a definitive list)

An effective security plan will include the following considerations. For smaller businesses, some may not be relevant or appropriate:

  • Management buy-in and commitment
  • External parties (customers, suppliers, partners, stakeholders)
  • Establish information security policy
  • Information risk management
  • Responsibility for information assets
  • Information classification (internal, public domain, confidential)
  • New employee vetting
  • Non-disclosure agreements
  • Awareness and training
  • Secure areas and access control
  • IT equipment security
  • Operational procedures and responsibilities
  • New IT systems and upgrades
  • Malware protection
  • Back ups
  • Employees’ own devices
  • Exchange of information (including third parties)
  • Electronic and mobile commerce 
  • User monitoring
  • Access management
  • User responsibilities (including employment contracts)
  • Mobile and remote working
  • Network security management
  • Network encryption
  • Correct processing in applications to ensure data integrity
  • Security within development and support 
  • Vulnerability management
  • Reporting issues and weaknesses
  • Incident management and escalation
  • IT security aspects of business continuity management
  • Compliance with legal requirements (including the Data Protection Act)
  • Compliance with payment card industry standards
  • Compliance with specific industry requirements (such as financial services, medical)