Duty of care! Who is responsible in the cybersecurity arena?

In the business world we have all heard the call for duty of care.   Duty of care is where you do everything that is legally and physically possible to protect someone or something.   When it comes to duty of care for data security how can we make sure that you are doing everything to protect your clients information.
It is no longer possible to say that it is not your responsibility if you and your business is collecting information about your clients.   Your duty of care is to protect that information to the best of your ability.  To do that you have to implement a number of restrictions for your business.   These are not expensive but they are crucial.
So here is the top five things that can help you manage your duty of care.

Have a cybersecurity plan

Nothing will improve your cybersecurity protection like a plan.    A plan can consist of a single page with a list of specific things to do or it can be a 300 page detailed report on everything that has to be be in place with maps, charts, diagrams and processes.   No matter what the plan you have to have a plan.

Use technology to plug the gaps

If you look at the chance of being attacked by a cyber criminal 50% of them will come from outside the perimeter.   Technology can be used effectively, efficiently and economically to plug that gap.   Firewalls, intrusion detection, wireless, VPN, end point protection as well as up to date operating systems and applications will all make it harder to access your data.

Keep track of who has access

Depending on the size of your business, all information within your business needs to have some level of protection.   The moment you have a need to segregate your data to allow certain people and groups access to it then that is the time to implement some level of auditing.   With the auditing comes training and a high degree of management.    If your business keeps track of people trying to access data that they should not have access to and you bring it to light then the number of times it will happen will decrease drastically.    Due to this the culture of the business will change.

The internal thief is probably a bigger problem than the outside

Salesmen have a reputation for protecting their client information and when they leave a business think it is their “god given” right to take it with them.
By getting everyone, including management and owners, to sign a confidentiality agreement when they start work will protect the business entity.   This redefines the sales persons perspective, and channels the sales funnel into the business and not into the perceived pocket of the sales person.   Yes I know that people do business with people but those people still work for the business and the information that is created is part of the business IP.

Passwords are normally your weakest link.

We all have them and most of the time we all absolutely loathe them, but at the moment they are a necessary evil for business.    Because that are very important for business passwords have to be complicated and regularly changed.   They also need to be created in such a way as they will not be written down and kept in draws and on computer screens.
Be vigilant and paranoid when it come to protecting your business data, this will transcend into a higher level of duty of care for your customers.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply