February 2018

6 IT GDPR compliance actions for your business

IT Security is critical, regardless of the size of organisation. it’s estimated that only a quarter of businesses will be ready for GDPR, get one step ahead with our easy to use, quick run-down on actions you can take..

With GDPR (General Data Protection Regulations) now less than 3 months away, it is more vital than ever to put in place a strong, comprehensive IT Security Policy for your organisation.

Many companies, simply do not know where to start, to try and help with this, we have put together 6 checks you can perform accross your environment to help you plan and implement better IT Secuity as part of your ongoing GDPR Compliance efforts.

We break it down into bite sized chunks and put together the following list of 6 checks:

  1. Implement a strict password policy
    Whilst an obvious step, many organisations still are using basic, unsecure passwords like: “123456” or “password1”. If you havent already, ensure you put in place a robust policy to govern the creation and maintenance of your passwords, especially for management! Ensure passwords are not kept in stilly places, such as Post-IT notes on screens, or in a .txt file on a desktop. Use a good password management tool such as: Keepass (Download a free copy here) Your passwords should not be simple to remember. An 8-character alphanumeric password, with small and large caps, and including special characters is preferable. Finally for all you SysAdmins out there, forcibly implement a password security policy through your server using GPO, or ask your provider to do so.
  2. Payment and transfer of funds procedure
    Implement a standardised procedure to handle all financial transactions including payments and procurement. Include an authorisation policy to personally or verbally confirm all irregular or unusual payment And transfer requests. Whilst most larger companies will have something in place organisations with less than 50 employees tend to be lacking in strict operational procedures and this is, surprisingly, a common procedure that is missed out!  Do not rely on details provided in emails either, even if it looks to come from someone in your company, if in doubt arrange some Phishing Training with your staff to help mitigate user-error.
  3. Evaluate emails and check who they appear to be from
    Unsure if you were expecting an Invoice from a Supplier? Does the format look slightly different? Be mindful of the tone, language, structure and writing style of all emails containing links or attachments. It’s good practice to hover over links in email to explore the domain the link points to. If it doesnt look absolutely perfect and as expected, do not click it. Double-qualify the email signature and images used. Look at the email address, does it look odd? This is something that can easily be solved with a quick phone call or a verbal confirmation from the sender as well as to stop, look and evaluate the situation. Losing a couple of minutes to triple check is far better than risking a security breach. Educating and training for all staff is especially important, with mandatory training for new employees.
  4. Use Business-Grade Anti-Virus, Spam and Web Filtering Solutions
    Kill threats in their tracks by stopping them before they can do any damage with enterprise Anti-Virus, Spam and Content Filtering. Create layers of overlapping security especially when it comes to incoming data like emails, web browsing and downloading. Prevent phishing attempts and intrusions by implementing solutions that will aggressively filter out viruses, spam and threats from unusual or untrustworthy domains and addresses. It’s also highly recommended to ensure you have a physical firewall device, we tend to prefer SonicWall Firewalls in place for your network and internet access as this will help protect you from external threats and attacks.
  5. Manage your Patches!
    Keep up to date, and dont ignore those regular updates for your operating system and software tools. Your provider should be ensuring your software is updated on a regular schedule, ideally at least once a weak. If you are a running old software such as Windows XP or Server 2003, consider an upgrade, they are unsupported by Microsoft, so will no longer get security patches and act as one large liability within your IT environment. Updates include operating system patches (especially security updates), third party application updates and anti-virus definitions. T 310,000 viruses appear every day, so you can see why its important to keep ahead of the curve!
  6. Have a backup solution & continuity plan in place
    Do you know how long it will take you to recover if a critical server fails? What happens if there is a large Ransomware outbreak detected on your network? Planning is key to ensuring you can keep your organisation operational in a crisis. Not all backup solutions are suitable for fast-paced companies. It pays dividends to check your solution truly is fit for purpose. A bad backup procedure, or slow restore can put back businesses by days and in some cases weeks, so if you haven’t reviewed your plan, with GDPR on the horizon, it’s definately the time to do so. Ensure that you already have disaster recovery redundancies in place so that you can recover at a very minimum 24 hours worth of data and system states. Ideally implementing high availability will also speed up your restoration and recovery process.



Every company is at risk of data and security issues. A Cyber Essentials with IASME Audit will help your organisation implement the right prevention and protection solutions to ensure that your data remains in-house, protected and not the victim of a breach.

Further Reading: