IT security and data protection

Small companies should avoid these mistakes

IT security and data protection are increasingly proving a headache for small companies due to digital transformation. Wolfgang Sidler, the owner of the IT consulting firm Sidler Information Security, explains the biggest mistakes to avoid for those running small businesses.

  • Improve the situation by setting an example as the owner or as a Member of the Executive Board with regard to IT security and data protection by produce guidelines for things such as the use of passwords, mobile devices, information, e-mail and the Internet. Show that the issue of IT security and data protection is important to you personally and ensure that appropriate measures are introduced and implemented.

  • Free clouds are practical and easily accessible but are no place for uploading confidential documents, such as customer contracts or lists of purchase prices. Don’t forget that when using free cloud solutions, your data is generally stored outside of Switzerland and does not receive sufficient protection. Adopt a cautious approach to cloud solutions and opt for certified cloud services from Switzerland as a minimum requirement.

  • One of the greatest risks to IT security and data protection is careless data loss or data theft due to errors made by you or employees. If business notebooks are left lying around unattended in external meeting rooms, passwords are written on post-it notes by the computer or confidential documents are placed in a free Dropbox folder, this may have serious consequences for the company. Raise employees’ awareness of IT security and data protection and provide them with training. It’s well worth it. The most expensive firewalls and security solutions are no good if employees enable malicious attacks by making mistakes.

  • IT security and data protection are too crucial to ignore. Address the issue and set aside a budget to evaluate and optimize the situation at your company with an external consultant. Adopt a pragmatic approach by defining fewer measures but then ensuring they are implemented. In this way, you will prevent IT security and data protection from becoming a bottomless pit. When defining measures, the target triangle of risks, user-friendliness and costs must be taken into account.

  • Effective risk management is the basis for all IT security and data protection measures. Reflect on which risks your company is exposed to and what the worst case scenario is if you have to face the major risks. Ask yourself the following questions:

    • What are our crown jewels regarding IT and data that must be protected?
    • What threats and dangers are these crown jewels exposed to?
    • What are the risks to and weaknesses in your IT infrastructure?
    • What damage could security vulnerabilities cause to your company?

    Then plan measures for every risk identified, estimate the costs of implementation and define responsibilities and deadlines. You also have to realize that it is impossible to be 100% protected. Determine which remaining risks you can accept and bear. An increasingly common solution is cybercrime insurance policies.

  • In the age of digital transformation, the IT security and data protection landscape is changing at an ever increasing pace. You should view IT security and data protection as an ongoing task rather than a project with a start and end point. Check that your IT meets the latest security standards at regular intervals.

  • Manage user access authorizations and ensure your employees only have the access rights that they require to do their job (need-to-know principle). Check the current user authorizations annually and establish an effective employee arrival and departure procedure.

  • All technical IT security and data protection measures require organizational measures as well, in the same way that cars need to be serviced regularly. If you install a firewall, for example, it always has to be kept up to date. Define the relevant tasks, responsibilities and deadlines.

  • The new EU General Data Protection Regulation (GDPR) entered into force on 25 May 2018. It governs how companies have to deal with personal data throughout Europe. The GDPR also applies to companies with their head office in Switzerland that record the personal data of Internet users in the EU on their websites (e.g. in the form of cookies) in order to provide them with goods or services in the EU. Companies must now obtain direct consent from the persons concerned or show that their interest in data collection outweighs the fundamental right of the persons concerned to data protection.

About our expert

Wolfgang Sidler is the owner of and a security consultant at Sidler Information Security GmbH, founded in 2009 and based in Hünenberg, and advises both SMEs and large companies on IT security and data protection. He has also worked for the data protection officer of the canton of Lucerne since 2009 and lectures at the faculty of law at the University of Lucerne. After graduating with a Master of Advanced Studies in Information Security, the business IT specialist previously worked as a security expert for various banks, insurance firms and companies, including abroad.

This might interest you too