The concept of IT compliance in business isn’t something you hear a whole lot about, until it goes wrong of course. Then, depending on which company is at fault, it can make for pretty juicy headlines, with lots of finger pointing and brand bashing.
You’re not likely to read about the small solicitors’ firm in York that lost an unprotected laptop containing company or customer data, but if a hacker manages to get hold of large chunks of The Bank of England’s customer account details - you’ll know about it.
Whether the story features on your news feed or not, security and compliance breaches happen all the time and can cause irreparable damage to businesses of any size, so it’s important to understand your obligations and how to protect your business from avoidable disasters.
The label ‘IT compliance’ covers a wide range of things, but it can be separated into two categories.
1. Internal compliance
This covers the processes and procedures set out by a company, looking at how employees with access to information or data are expected to manage, store and protect it.
It also includes guidelines around appropriate use of technology and the IT equipment the team have at their disposal.
For example, an employee streaming video content from a compromised site that endangers the business network by opening the door to malicious software or a ransomware attack, is a classically underestimated risk and it’s one of the many threats employees should be made aware of.
One of the biggest risks to a business is the assumption that compliance and the effort required to keep systems safe is the sole responsibility of the IT department. In reality, breaches are much more likely to result from an employee who doesn’t understand the role they play in keeping the business safe day-to-day, by opening a seemingly innocent joke email or replying to an unusual email asking for confirmation of login details.
Internal compliance should be considered the first line of defence when it comes to ensuring smooth operational efficiency and keeping business networks safe.
Some basic examples of steps to take to ensure compliance and security would include encryption of all devices used, regular password updates and management sign-off on access to files or systems.
2. External compliance
This is about adhering to best practice principles and the rules and regulations imposed by outside entities, such as industry watchdogs or the government.
For example, legal requirements in certain industries might require the retention of emails and other electronic documents or correspondence to be stored and made available for a period or indefinitely.
Supervisory controls that allow backdoor access to law enforcement agencies or data purging that can be carried out remotely – shutting down risk in the case of a breach - might be prerequisites for a business that uses sensitive, personal or financial information as part of their day-to-day operations.
External compliance has become an important governmental issue in more recent years and the EU’s stance is set to get a lot stricter around the collection and use of personal information, when the General Data Protection Regulation (GDPR) comes into force in May 2018.
Brexit is not a way out either, and whatever Britain’s status within Europe after this comes into effect, businesses will still have to adhere to this legislation or something very similar.
The Role of IT in Compliance
2017 has had more than its fair share of compliance breaches across the globe, with everything from lost laptops to sloppy patching and sophisticated ransomware damaging businesses that have taken their eye off the ball.
There’s no doubt IT has a big role to play when it comes to business security, but it relies on the right person in a business taking ownership and putting the right measures in place. So, if you’re in any doubt about what’s necessary to protect your business and keep your customers happy, or need to audit your security and compliance set-up, ask an IT professional or an IT consulting service for help.
Better safe than sorry.
Are you ready for GDPR? Find out how to take the first steps towards compliance with this new legislation and how we can help you by downloading our free GDPR-readiness checklist: