Information Commissioner's Office
Printable version E-mail this to a friend

ICO launches IT security guide for small businesses

The Information Commissioner’s Office (ICO) has yesterday published a new guide for small and medium sized businesses, showing a series of clear, practical steps they can take to help make their IT systems safe and secure.

The guide, which covers topics such as physical security, anti-virus defences and employee awareness, can help small businesses keep personal data secure, and avoid a serious data breach that could see the ICO impose a monetary penalty of up to £500,000.

Information Commissioner, Christopher Graham, said:

“Since November 2010 the Information Commissioner’s Office has had to serve civil monetary penalties totalling over £1.5 million on organisations that failed to take the necessary measures to keep peoples’ information secure.

“While we recognise that the biggest companies and organisations will have many of these strategies already in place and have spent a great deal of money on securing their IT systems, smaller enterprises often tell us that they would benefit from simple and clear advice specifically designed for them.

“This guide aims to support these companies by providing a starting point and recommendations that cost little to adopt, but can significantly reduce the risks of a serious data loss and the reputational and financial damage that can result.”

The guide includes a checklist, as well as more detailed advice on:

  • securing data on the move;
  • keeping you and your systems up to date;
  • keeping an eye out for problems;
  • knowing what you should be doing; and
  • minimising the data you keep.

Mr Graham continued:

“Following this guidance is not just about minimising risk. Businesses that prioritise the safety of their customers’ personal data will have a real competitive advantage.”

Mike Cherry, Policy Chairman, Federation of Small Businesses, said:

“It’s important that the ICO have published this guidance specifically for small businesses. Good IT and data security should be part and parcel of good business practice and businesses should think about the simple steps that they can put in place to achieve this. The guidance should help businesses do this.”

View 'A practical guide to IT security' 

A copy of the guidance is also available to order at the ICO's request publications page.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our Press Office page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. This news release is also available in Welsh (Cymraeg)

Mobilising excellence in prison operations