In the digital age, cyber and data security pose significant challenges for organisations that collect and store it. While physical theft is tangible, data loss remains a hidden risk. Whether unintentional exposure or permanent erasure; data loss impacts an organisation’s time, money, reputation, and legal compliance, explains Andrea Taylor-Jones of Associate Supplier Rod Barlow Consulting.

The British Library suffered a Cyber-attack in October 2023 which had an extensive impact across all areas, affecting users, staff, and stakeholders. While library premises remained open, services were severely restricted for quite some time and a full recovery will take some years.

To defend against unseen threats, we must demystify terms like “cybersecurity” and “the cloud.” Data resides on physical devices—under desks, in pockets, or within data centres. Visualising data storage in these terms helps us plan effectively.

Are you at risk?

Smaller organisations often underestimate their vulnerability. Cybercriminals are indiscriminate, exploiting low-value information. Attackers prioritise targets based on perceived significance, regardless of ransom payment resources.

The main risks include data loss, exposure, and ransomware attacks. Since ransom negotiations rarely succeed, treat ransom situations as loss and exposure.

Here are cost-effective recommendations to minimise risks:

Train and empower employees:

• Educate staff on phishing emails, social engineering, and malware.
• Regular security awareness training enhances vigilance.
• Gamified modules boost engagement and knowledge retention.

Enforce strong password policies:

• Require complex passwords (length, variation).
• Explore and implement multi-factor authentication (MFA) for added security where it is supported by your systems.

Avoid password reuse:

• Discourage using the same passwords across services.
• Breached data from one site can compromise others.

Beware of social engineering:

• Social engineering exploits human vulnerabilities.
• Educate employees to recognise and resist manipulation.

Prioritise software updates:

• Regularly apply updates and patches for operating systems, applications, and firmware.
• Schedule automated updates to minimise risk exposure.
• Address unsupported or end-of-life applications promptly.

Secure sensitive information:

• Encrypt data at multiple levels, especially sensitive databases (e.g., customer info, financial records).
• Enable disk encryption on all devices (desktops, laptops, mobile) at no cost.

Prepare for data loss with backups:

• Follow the 3-2-1 rule: Three copies of data, two different methods, one copy offsite.
• Regularly assess backup security and verify successful restoration capabilities.

Control access and least privilege:

• Limit user access to essential functions based on their roles.
• Remove unnecessary administrator permissions to prevent unauthorised software installations.

Physical security of hardware:

• Secure physical access to servers, computers, and IT equipment.
• Properly dispose of outdated hardware to prevent unauthorised data access.

Third-party risk management:

• Evaluate vendors’ cybersecurity posture before signing contracts.
• Implement data loss prevention (DLP) solutions for secure data movement.

Continuous vigilance is essential for effective cybersecurity. Make sure you leverage free resources like the National Cybersecurity Initiative (Cyber Essentials). Small security improvements can significantly deter cyber-attacks and protect valuable data assets.

Also look at significantly discounted security protection software offered through organisations like Charity Digital.