Compliance in the IT industry comes in many shapes and sizes, but it’s ultimate goal is to enshrine your business as a reliable, secure and trustworthy enterprise when it comes to Information Technology. For some time, it was tricky for businesses to be able to setup and manage their IT infrastructure in a way that would be comparable to other businesses of a similar nature. Believe it or not, there was no definitive “industry standard”, which meant that IT was a free-for-all depending on who was in charge. That’s not to say it was necessarily a bad thing, but it meant that because there was a lack of process, that if there was a problem, you would have had to of spent a lot more time and effort to resolve it. Standardisation helped to consolidate and refine industry processes so that there were guides and frameworks for businesses to follow. We won’t list every single framework here (otherwise we’d run out of space!), but there are some modern-day standards that are easy to implement in your business & also make a difference.
This doesn’t strictly apply to just IT, but it is certainly relevant for companies that handle customer data. In 2020, that includes a lot more companies than you’d think! Data is the modern business currency, we use vast quantities of it every day, and we transfer it to other businesses across the globe. The key aspects to note with GDPR is that whatever customer data you hold, you must hold it securely. There are notable news stories in the last few years of big-name companies like British Airways being fined millions of pounds for having data breaches – where customer data is visible to someone it should not be. You’re responsible for the data you hold. If you lose it, or someone within your business has access to the data that shouldn’t, you too will be responsible. And, just like those big-name businesses, in the worst case you could be subject to hefty fines (a maximum of up to €20 million or 4% of annual global turnover – whichever is greater).
Payment Card Industry Data Security Standard (that’s a mouthful!) is a way of ensuring that businesses can reliably take card transactions from buyers. This also includes online transactions too. There are six aspects to PCI DSS that you need to be aware of:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Luckily with PCI DSS, many major payment companies like Visa & Mastercard already have systems in place to aid with this, so if you are using a third party payment system to handle transactions, there’s a good chance you’re already protected. However, you should always do your due diligence before investing in a product.
You can already see a trend with both GDPR & PCI DSS, handling data correctly is paramount. If you’re lacklustre in looking after your data, and you fall victim to a data breach, then you are in breach of these standards. There is always an element of human error involved with breaches, but if you can do your best to show that you are compliant and following these standards, you should be fine.
This is more IT based standard that is easily achievable but can be a great benefit to your business. It certifies that you are cybersecurity compliant and have put measures in place to protect you against all manner of cybersecurity attacks. There is also the next stage of the certification, called Cyber Essentials Plus which shows you really champion IT security in your business.
Cyber Essentials should be relative straightforward to achieve, as it asks you to implement basic procedures that you should really be doing already. Things like enforcing a password policy so that users must use strong passwords that need to be changed on a regular basis.
Why should I comply?
We’ve mentioned this already, but the risks are the main reason you should make compliance a priority. It’s in your best interests to follow these standards, otherwise there is a good chance you could suffer financially and reputationally.
You will also be protected against common threats. This should really be a no-brainer as protecting your business and it’s IT infrastructure is vital to reduce downtime and risk you losing business. Again – this will result in a financial hit for you. Being certified in these regulations also demonstrates to anyone you work with (customers, contractors & the like) that you take security seriously and that you value your business, as well as those you work with. This makes you more trustworthy to prospects. You may also find that certain affiliates require you to have these standards in place before they even consider working with you.
How can I comply?
Compliance comes in many shapes and forms but there are normally some basic requirements that can set you on course to compliance. To get a complete lowdown on what your business needs are and how best to achieve them, contact us at firstname.lastname@example.org or call 01843 572 600.