In 2019, having a business IT security plan is more important than ever. An IT security plan is the first line of defense you have for protecting your business – and your clients – against cybercriminals. 

Cybercriminals include hackers, who frequently obtain personal information with the intention of selling it or using it for identity and credit card fraud. Under data protection laws like GDPR, your business can be held liable if an unauthorized party accesses your customers’ personal information including names, birthdates, and more. Fines for a data breach are usually administered per-stolen-record but a GDPR violation can cost 20 million.

Data breaches are a serious threat to your business

The number of reported data breaches in the United States is rapidly increasing. In 2013, there were 614 reported data breaches. The number of reported data breaches more than doubled in 2017 to 1,579. Keep in mind not all data breaches are reported.

What an IT security plan will do for your business

An IT security plan, according to, is a collection of software, hardware, and policies all designed to create a secure digital environment for your business. For example, a firewall is software that creates a barrier between your company’s data and anyone who might want to access it. Anti-malware software protects your network from malicious viruses, trojan horses, worms, spyware, and ransomware. 

Other components of an IT security plan include a mobile device plan that provides direction and rules for using mobile devices on your company network. Part of a mobile device plan should include requiring a password on the device just in case it’s stolen or lost. 

A critical component of an IT security plan is having data backups in the cloud. If someone hacks your server or your datacenter suffers a catastrophe that wipes everything out, you’ll be thankful for having your data backed up to the cloud. 

Your IT security plan should prohibit using public Wi-Fi

Unfortunately, most people are only vaguely familiar with the threats posed by public Wi-Fi. Among those threats are:

  • Man-in-the-middle attacks. This is the most common attack where a hacker intercepts data being transferred between two parties. The hacker relays the information, but not before it’s intercepted.

  • Rogue Wi-Fi networks. A hacker can walk into a coffee shop and setup a network with a name that is an exact copy of the establishment’s network. Unsuspecting patrons will join the first network that looks correct, not knowing they’ve just given a hacker access to their entire computer. 

Free Wi-Fi that doesn’t require entering a password isn’t secure. It’s not even secure to share a password-protected network with people you don’t know. Your IT security policy should have a mandatory ban on using public Wi-Fi while working with company data, including logging into any work-related accounts.

Strict BYOD policies should be non-negotiable

A strict bring-your-own-device policy is a necessary, non-negotiable component in every IT security plan. The best BYOD policy is to not allow employees to use their own devices, but that might not be easy to do. Many people are used to using their own devices for work and will expect all employers to permit the use of personal devices.

To tighten down security when employees use their own devices, you need to set non-negotiable protocols and rules to follow. For example, one of the most important rules to implement is stipulating that employees using personal devices should have no expectation of privacy. You need to get written permission to access their device when needed, except in circumstances prohibited by law. 

Another non-negotiable is prohibiting employees from using their device while driving. If they cause an accident while using their device, it doesn’t matter if they’re driving after office hours. If they were engaged in a work-related task, you could be held liable.

Mandatory data encryption is another important stipulation for a BYOD policy. If an employee doesn’t store company data encrypted (at rest) on their personal device, your company is at risk the moment they log onto an unsecured, public Wi-Fi network.

Create your IT security policy ASAP

Don’t wait to start drafting up an IT security policy. While you’ll need more than a BYOD policy, that’s a great place to start. Use this BYOD policy template to get started. Your business can’t afford to risk a potentially devastating data breach.