Stay up to date

News, tips and hints from our TISAX® world

Tips for more information security

Information security is becoming increasingly important in the face of growing cyber attacks. However, many companies are slow to focus on this topic. We have put together some tips for you on how you can improve security in your company effectively and sustainably.

Employee training

By far the greatest risk to data security in companies is a lack of employee awareness. Despite this, only just under a third of companies state that they train their employees at least once a year.

However, regular employee training can easily minimize the risk of data loss. Your employees will effectively learn how to recognize and ward off external threats and how they can contribute to greater information security on a daily basis.

Allocation of responsibilities

Appoint an IT manager and their substitute manager. Delegate all security tasks to the person responsible and ensure that you are kept up to date about information security in your company.

Advice from data protection experts

If more than nine employees regularly process personal data in a company, a data protection officer must be appointed in accordance with the law (Section 4f BDSG). Although almost all large companies already have an internal data protection officer in accordance with the GDPR and BDSG, three quarters of small and medium-sized companies do not. Companies should therefore check their policies for compliance with legal requirements and seek the advice of professional data protection officers for the correct implementation of data protection policies. Even if they do not need a data protection officer by law, it is advisable to seek advice from an external data protection professional.

Clean Desk Policy

Data protection guidelines can be implemented very specifically. For example, through a clean desk policy: the user guideline for the workplace. It expects employees to tidy both their physical and virtual desks at the end of the working day. However, in the end it is much more than just a tidy, clean workplace. Behind this is a principle that contributes to organization and thus to increased productivity, as well as to data protection for customers. Carelessly left documents practically invite unauthorized persons to read them. Companies should draw up clear guidelines so that employees know exactly how to behave.

Legal advice

The legal framework is complex and the GDPR is extensive. Legal experts help you to identify sensitive data and advise companies on how to protect it in a legally compliant manner.

Appropriate passwords and user names

This requirement to set up passwords and user names for computer access is a result of the General Data Protection Regulation and the appropriate technical and organizational measures. But what does a good password look like? Strong passwords never consist of easy-to-remember words or combinations of words and numbers, but of a sequence of upper and lower case letters, numbers and special characters that may seem illogical at first glance. In addition, the longer a password is, the more secure it is. A password should be treated like underwear: change it often, don’t share it, don’t leave it lying around, be sophisticated and pay attention to its length. And it should go without saying: Never save your password on your PC without a special tool!

Back up data

Information security is not just about protecting against attacks, but also about ensuring the company’s operational capability. Data loss can also occur due to hardware damage or carelessness. You should therefore ensure continuous data backups, the operability of which must also be checked regularly, for example by means of restore attempts. Especially at a time when many encryption viruses, such as Emotet, are paralyzing many companies and authorities, a well-planned backup can mean the survival of your company.

Delegate

Business owners are often reluctant to let the reins be taken out of their hands and want to do a lot themselves. This is understandable, but it can have a major impact on productivity when it comes to IT and information security. This is not to say that a CEO or business owner cannot implement a good safety policy. However, you often need much more time for the introduction than if a specialist were to do it.

The same applies to ongoing safety maintenance – without taking into account how often the industry changes. Keeping up to date with changes in safety standards can be a full-time job. It can therefore be very good for productivity to hire or contract an expert to look after your company’s security protocols and practices.

Classify data

Establish a classification system that defines the handling of information in your company for each employee, whether internal or external, but also for each of your partners.

Declare all company information as “internal”. Particularly sensitive information is “confidential” and publicly accessible information is “public”. Based on this, access rights should be restricted to the extent that they are necessary for the performance of tasks (“need to now” principle).