The United Kingdom Information Commissioner’s Office has issued a guide to IT security, targeted at small businesses. The guidance highlights that a breach of data protection legislation can incur a fine of up to £500,000 as well as causing a business serious reputational problems.  Although the guidance is specifically targeted at small organizations it is clear that the ICO would expect larger businesses to take these steps as a minimum.

A layered approach to security is recommended – by using a number of different tools and techniques would ensure that if one level of protection failed there would be other safeguards in place. Key recommendations are:

  • Managing physical security to protect against any break-in. Servers should be in a separate room with added protection. Back-up devices should not be left unattended and locked away when not in use
  • Anti-virus and anti-malware products should regularly be used to scan networks and they should be kept up to date
  • Breaches should be stopped before they penetrate deep into a network through the use of a well configured firewall
  • Access should be restricted appropriately. Strong passwords should be used and access should be cancelled when an individual exits an organization
  • Staff awareness and training – all staff should be aware of their roles and responsibilities and be able to recognize threats to the business
  • By segmenting and limiting access to a network, the severity of a data breach can be limited e.g. a web server should be separate from a main file server
  • Policies should ensure that risks can be addressed in a consistent manner and should integrate with business processes
  • Unused software and servers should be removed from devices

The guidance provides advice about the transport of data through encryption, using remote or disabling facilities in mobile devices and only transferring personal data where necessary.  Further advice is given about managing data processor relationships and ensuing only necessary personal data is held.

Courtesy of Mike Bradford, BIIA’s expert on privacy and data protection.  Mike Bradford can be reached at: or