Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that information.

You should consider all processes involved as you collect, store, use, share and dispose of personal data. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.

With a clearer view of the risks you can begin to choose the security measures that are appropriate for your needs.

* Information Risk Management Regime in 10 Steps to Cyber Security, GOV.UK website

A policy will enable you to address security risks in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific policies.

The policy should clearly set out your business' approach to security together with responsibilities for implementing the policy and monitoring compliance.

You or your business should have a process in place to ensure that information security related policies and procedures are reviewed and approved before implementation.

You should then give policies and procedures, set review dates and review and update in line with agreed timescales or when required.

It is good practice to have a document in place, which outlines the agreed style that all policies, procedures and guidance documents must follow which you have communicated to relevant managers and staff.

* Information security, in ICO Guide to data protection

* Staff policies, Get Safe Online website

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the security policy. They should have the necessary authority and resources to fulfil this responsibility effectively.

For larger organisations, it is common to appoint 'owners' with day-to-day responsibility for the security and use of business systems.

Without clear accountability for the security of systems and specific processes, your overall security will not be properly managed or coordinated and will quickly become flawed and out of date.

* Information security, in ICO Guide to data protection

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services. You must be satisfied that these 'data processors' will treat your information securely as your business will remain responsible for ensuring the processing complies with the DPA.

You must choose a provider that gives sufficient guarantees about its security measures. For example, you might review copies of any security assessments and, where appropriate, visit their premises to make sure they have appropriate security arrangements in place.

You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.

If you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.

Data security breaches may arise from a theft, an attack on your systems, the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure.

However a breach occurs it is important that you deal with it effectively and learn from it. You should have a process to report breaches to management as soon as staff become aware of them, and to investigate and implement recovery plans.

Ideally, you should monitor the type, volume and cost of incidents to identify trends and help prevent recurrences.

* Notification of data security breaches to the ICO, ICO website * Incident Management in 10 Steps to Cyber Security, GOV.UK website

You should brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment. You should also train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report data security breaches.

You should ensure that staff with specific security responsibilities or with privileged access to business systems are adequately trained and qualified as appropriate.

You should schedule training to take place on or shortly after appointment with updates at regular intervals thereafter or when required. You should also reinforce training using other methods including intranet articles, circulars, team briefings and posters.

Well-designed security measures will not work if staff do not know about or follow business policies and procedures. You should make policies and procedures available to all staff using staff intranet pages, policy libraries or through leaflets and posters.

It is good practice to circulate bulletins or newsletters to help disseminate and inform staff of new policies and subsequent updates when required.

* User Education and Awareness in 10 Steps to Cyber Security, GOV.UK website

* Training checklist for small to medium sized organisations, ICO

You should implement entry controls including doors and locks, and whether premises are protected by alarms, security lighting or CCTV. You should also implement how you control access within premises and supervise visitors. Servers should be located in a separate room and protected by additional controls.

* Information security, in ICO Guide to data protection

* Physical security, Get Safe Online website

* Physical security , CPNI website

All your staff should lock away paper records and mobile computing devices when not in use ('clear desk and equipment'). Also, you should encourage staff to promptly collect documents from printers, fax machines and photocopiers, and you should switch devices off outside business hours. Ideally, you should implement secure printing.

* Information security, in ICO Guide to data protection

All your staff should securely dispose of paper records by shredding. If you use a provider to erase data and dispose of or recycle your computers, make sure they do it adequately. You may be held responsible if personal data collected by you is extracted from your old equipment if it is resold.

* IT Asset Disposal, ICO

* Safe Computer Disposal, Get Safe Online website

Mobile working can involve the storage and transit of personal data outside the secure boundaries of your business. However, mobile computing devices (for example, laptops, notebooks, tablets and smartphones) are vulnerable to theft and loss, and there are confidentiality risks when using devices in public places.

You should assess the risks of mobile working (including remote working where mobile devices can connect to the corporate network) and devise a policy that sets out rules for authorising and managing mobile working.

* Home and mobile working in 10 Steps to Cyber Security, GOV.UK website

* Bring your own device (BYOD), ICO

The default installation of ICT equipment can include vulnerabilities such as unnecessary guest or administrative accounts, default passwords that are well known to attackers, and pre-installed but unnecessary software. These vulnerabilities can provide attackers with opportunities to gain unauthorised access to personal data held in business systems.

You should securely configure (or 'harden') ICT equipment on installation. Maintaining an inventory of ICT equipment will help you to identify and remove unnecessary or unauthorised hardware and software.

* Secure configuration in 10 Steps to Cyber Security, GOV.UK website

* A practical guide to IT security, ICO

* Protecting personal data in online services – Unnecessary services and default credentials, ICO

Removable media (for example, CD/DVDs, USB drives, smartphones) is highly vulnerable to theft or loss, and uncontrolled use can lead to data breaches.

Where there is a business need to store personal data on removable media, you should implement a software solution that can set permissions or restrictions for individual devices as well as entire classes of devices. Personal data should be minimised and encrypted.

* Removable media controls in 10 Steps to Cyber Security, GOV.UK website

Access to systems holding personal data should be authorised by management, and user permissions restricted to the absolute minimum (or 'least privilege'). You should assign each user their own username and password to ensure accountability.

* User access control in Cyber Essentials Scheme, GOV.UK website

* Managing user privileges in 10 Steps to Cyber Security, GOV.UK website

* Information access management, Get Safe Online website

* Password storage, in Protecting personal data in online services, ICO

Users' access credentials (eg a username and password or passphrase) are particularly valuable to attackers. A 'brute force' password attack is a common threat so you need to enforce strong passwords, regular password changes, and limit the number of failed login attempts.

You should enable and actively encourage your users to choose a strong password. You can increase the strength and complexity of a password by:

* creating a long password or passphrase; using a wide range of characters, such as a mix of uppercase letters, lowercase letters, numbers, punctuation marks and other symbols;

* avoiding the use of dictionary words where possible;

* avoiding simple substitutions such as 'p4$$w0rd'; and

* avoiding the use of patterns derived from the physical keyboard layout (eg 'qwerty' or '1qaz2wsx').

You should also monitor user activity to detect any anomalous use.

Having multiple passwords for different systems can be difficult for staff to remember however it is important that passwords are not written down or recorded in accessible locations or systems logs.

You should promptly disable passwords when a user changes duties or leaves the business.

* Managing user privileges in 10 Steps to Cyber Security, GOV.UK website

* Information access management, Get Safe Online website

* Password storage, in Protecting personal data in online services, ICO

Computers can be infected with malware (for example, viruses, worms, Trojans, spyware) via email attachments, websites and removable media. This can result in the loss or corruption of personal data.

You should install malware protection software to regularly scan your computer network in order to detect and prevent threats. You will need to make sure the software is kept up-to-date and that you educate users about common threats.

* Malware prevention in 10 Steps to Cyber Security, GOV.UK website

* Viruses and spyware, Get Safe Online website

You should take regular back-ups to help restore personal data in the event of disaster or hardware failure. The extent and frequency of back-ups should reflect the sensitivity and confidentiality of the personal data, and its criticality to the continued operation of the business.

Ideally, you should keep back-ups in a secure location away from the business premises, and regularly test the restoration of personal data to check the effectiveness of the back-up process.

* Backups, Get Safe Online website

Monitoring and logging can help your business to detect and respond to external threats and any inappropriate use of information assets by staff.

You should continuously monitor inbound and outbound network traffic to identify unusual activity (for example, large transfers of personal data) or trends that could indicate an attack.

Business systems should be capable of logging user access to systems holding personal data in support of access control policy monitoring and investigations.

Monitoring and logging must comply with any legal or regulatory constraints, including the DPA. For example, you should make staff aware of any monitoring.

* Monitoring in 10 Steps to Cyber Security, GOV.UK website

* Employment code of practice, ICO

Most popular software products contain technical vulnerabilities that can be exploited by attackers to gain unauthorised access to personal data held in your systems.

You should use the latest versions of operating systems, web browsers and applications, and ensure these are updated regularly to help prevent the exploitation of unpatched vulnerabilities.

* Patch management in Cyber Essentials Scheme, GOV.UK website

* Software security updates in Protecting personal data in online services, ICO

Attackers can gain unauthorised access to personal data if you do not protect the boundary between your computer network and the internet.

You should install a firewall to monitor and restrict network traffic based on an agreed set of rules. A well configured firewall is your first line of defence against external attack and can help to prevent data breaches, for example, by blocking malware or hacking attempts.

You should also minimise the impact of data breaches by segmenting and limiting access to network components that contain personal data. For example, your web server should be separate from your main file server. If your website is compromised then the attacker will not have direct access to your central data store.

* Network security in 10 Steps to Cyber Security, GOV.UK website

* Inappropriate locations for processing personal data in Protecting personal data in online services, ICO

* Employment code of practice, ICO