Where to start with “A Practical approach to Data Protection”
Customer Data Protection
When someone says data protection people’s eyes glaze over, it’s understandable that the data protection act of 1998 is important not just to businesses but the public in general. The Data Protection Act will however, be replaced in 2018 by GDPR.
Don’t worry, this article is not going to depths on the data protection act, instead we want to focus on what you can do to protect your data and the clients data.
This article applies to everyone in business no matter if you are a one man band with client contact details held on your mobile phone, a shop owner who does or does not have to comply with PCI DSS or a multi-national corporation. If you have data about your business and/or your clients held anywhere (even on paper) then this applies to you!
First Thoughts on Security Considerations
As Microsoft Windows has developed, one of the key issues that Microsoft has tried to resolve is that of security. With Windows 10 they have taken a leap forward in protecting your data.
Many people seem to have focused on the working of the licence for Windows 10 and what it allows Microsoft to do; removing counterfeit software etc. Is this wrong? Of course not. In fact if you are in business and your systems have counterfeit software you are opening yourself up to data loss in a big way.
Pirated software usually has additional code in it that allows hackers to gain access to your system and therefore your data. With Cloud Based services these days, using legitimate software should be easier than ever, after all the monthly cost of a copy of Office 365 is a pittance.
Whilst we are on Cloud Based systems, it is worth remembering that unless you encrypt your data on the cloud then chances are it could end up in the wrong hands no matter how security conscious the vendor is. New hardware is already being developed that will take care of this for you, but it isn’t here yet, so be warned.
We will come back to security a little later after we have looked at the severe fines that you could incur by not taking Data Security seriously.
This is about BIG companies isn’t it?
No, definitely not, your companies data security is the responsibility of everyone in your company. Failing to comply can be costly in more than just monetary terms.
Throughout this article I will drop in a few rulings from the ICO that demonstrate how important it is to take these issues seriously. This is not an attempt to scare you, neither is it a marketing ploy of any sort; many people believe that getting “caught out” will never happen to them, in fact it can happen to anyone who doesn’t take reasonable steps to protect their data.
Here some recent rulings detailing action taken in the United Kingdom by the Information Commissioners Office:
Date 16 April 2015 Type:ProsecutionsA recruitment company has been prosecuted at Ealing Magistrates Court for failing to notify with the ICO. Recruitment company pleaded guilty and was fined £375 and ordered to pay costs of £774.20 and a victim surcharge of £38.
and here’s another:
Date 05 December 2014 Type:Monetary penaltiesThe company behind Manchester’s annual festival, the Parklife Weekender has been fined £70,000 after sending unsolicited marketing text messages.
The text was sent to 70,000 people who had bought tickets to last year’s event, and appeared on the recipients’ mobile phone to have been sent by “Mum”.
Let’s look at the simplest way in which you can protect your data. Forget expensive pieces of hardware, they can be circumnavigated if the core principles of data protection are not addressed.
Education is by far the easiest way to protect data on your computer’s and therefore in your network. This means taking time to educate the staff and updating them on a regular basis.
Here’s what we discovered – shocking practices
In 2008 we were asked to perform an IT audit on an organisation, nothing unusual, except that a week before the date of the audit I received a phone call from a senior person in that organisation, the call went something like this:-
“We didn’t mention before that we have had our suspicions about a member of staff in a position of authority. He seems to of had a very close relationship with the IT company that currently supports us. We also suspect that he has been completing work not related to our organisation using the computer in his office. When we told him about the up-coming IT audit he became agitated and the more insistant we were that he should comply, the more agitated he became”.
This resulted in this individuals computer being the subject of an all but forensic inspection, apart from an un-licenced game, we found nothing and believing that the information we were looking for may have been deleted we performed a data recovery on the disk drive.
The results caused consternation and required us to contact the ICO. We found a lot of very sensitive data that did not belong on that drive. It looked as though it had been there for some time and most of it was not recoverable suggesting it had been removed a good while ago.
As it turned out the disk drive had been replaced several months before and the IT company had used the drive as a temporary data store for another companies data. They formatted the drive and put the new operating system on thinking nothing of it.
It just goes to show that formatting a drive and then using it for months won’t remove all the previous data. No action was taken other than a slapped wrist for the IT firm for poor practices.
So who should be trained?
The best way to demonstrate the importance of data protection is by using top-down learning sessions where management is trained first, followed by junior management followed by the staff. In this way it’s obvious to management as well as the staff the data protection is not something that one person does it is in fact the duty of every employee within a company.
A data breach will affect everybody within the company not just the person responsible but, those ultimately responsible as well.
The training is not lengthy or difficult, but it should be provided by an expert in the field or a company whose expertise is beyond doubt.
In-house training on this subject is not recommended as it is only an outsider who will be taken seriously and who will have the 3rd party credibility required to enforce the importance of the issue.
Information Security is everyone’s business
Information Security Awareness Training: Here’s what should be covered:
- Provide an easy-to-use online 40 minutes information security awareness training course for your employees to log on and learn best information security practices from.
- Provide best practice course content of your compliance requirements.
- Teach employees in simple non-technical language, how and why hackers hack.
- Instruct employees in the best methods of protecting your systems and the sensitive information you process.
- Explain employee inherent responsibilities for protecting your business information and identifying and reporting suspicious activity.
- Supply this information efficiently and effectively, an information security threats risk assessment should be completed.
A good threats and risk assessment should answer the following questions:
- What do I need to protect and where is it located?
- What is the value of this information to the business?
- What other vulnerabilities are associated with the systems processing or storing this information?
- What are the security threats to the systems and the probability of their occurrence?
- What would be the damage the business if this information were compromised?
- What should be done to minimise and manage the risks?
Answering the questions above, is the first and most crucial step in information security risk management. It identifies exactly what your business needs protect and where it’s located and why you need to protect it in real cost impact terms that everyone should understand.Don’t end up like these guys:
Date 22 December 2014 Type:Monetary penaltiesThe Information Commissioner’s Office (ICO) has fined a marketing company based in London £90,000 for continually making nuisance calls targeting vulnerable victims. In several cases, the calls resulted in elderly people being tricked into paying for boiler insurance they didn’t need.
In plain English, make it very clear to every employee within the company exactly what their responsibilities are to the data that is within their grasp on an everyday basis, explain how to protect it, explain why we need to protect it and point out the consequences to the business of not doing so.
Most un-trained employees would probably think that data protection has little or nothing to do with them; but, if a data breach occurred the company could lose business when the news hits the press, that may lead to lay offs due to lost business. It really does fall on everyone in the company from cleaning staff to the CEO to take responsibility.
Who should deliver the training?
This topic is not something that any training company can deliver correctly. You really need to work with real security experts, companies that are highly qualified and well experienced.
Unfortunately, in the IT industry many individuals and companies have presented themselves as IT Security Guru’s and most are just scare mongers with an agenda. They want to sell one specific service no matter if you need it or not.
However, there are some very well qualified, genuinely helpful professional companies out there.
In 2011 I was fortunate enough to be at the eCrimes Wales when Richard Hollis from the RISC Factory spoke. His presentation spoke to the audience in a way that few others did that day, it established him in this authors mind as my go to person in the UK on data security issues. I managed to grab a quick word with him during a break and he was really helpful.
Why do I rate Rich so highly? Well his background is interesting to say the least, a background in service for the NSA means he knows what he’s doing and has more knowledge in this area than the average Joe. It also means that where other IT Security experts see an issue, Rich sees a much bigger picture.
Of course many other companies offer similar services and in the current economic climate it is good to shop around if you need to.
Getting started
First of all, watch and re-watch the video (linked below) and find it’s second part on YouTube, watch that as well. Take notes during the video and get those steps planned out in your mind, answer the key questions about your company, data and security.
Next, speak with your IT department if you have one, your IT support company if you don’t and see if they have any cost effective idea’s that you can implement without impacting on your IT budget too heavily.
You can start protecting your company data from outside sources for a couple of hundred GB pounds by installing the right kind of Firewall, with cloud based updates 24/7.
Quality Anti-Virus with built in Anti-Malware doesn’t have to cost the company a fortune either, but again, take advice. Many of these products slow the computer system down so much that they have a negative impact on performance. One of the most famous of these (beginning with N) is often sold in High Street electronics, stationary and consumer goods stores as being “the best”; in fact it is the best profit margin and not the best product, it slows the system down and needs a special piece of software to remove it completely!
Store sensitive data in an encrypted area of a RAID storage drive system with restricted access control. A NAS drive is a cheap and effective way of achieving this.
Don’t store sensitive data on Cloud Based systems like Dropbox, sure it’s cheap and easy to use, so if you are passing none critical data such as graphics, logo’s and promotional material; great! If you are passing your accounts to your accountant, a new product schematic to a machine tooling company etc. – use something else that has better security.
Nothing personal against Dropbox and similar products, but like Microsoft OneDrive as it is now both have been hacked in the past. Although the security has been improved dramatically, you should not take the risk.
Finally take advice from real experts when you have any doubts. People like Richard Hollis have dedicated their careers to security. As they park up outside a company for a meeting they have already analysed several security considerations automatically. When they walk through the front door they make a dozen more calculations and risk assessments. All before they even sit down and talk to you about your concerns.
Layers: Security is all about a layered approach. Think of it as an Onion. Here’s an example at a Physical level for a company that I used to work for many years ago.
As you entered the building you could not get past reception unless they “Buzzed you through” the security barriers in the reception area. These were swipe card controlled for staff.
Swipe cards for staff allowed them access only to those areas they were authorised to enter; so for example only IT support staff and some developers had access to the server room. Note here that unlike some companies the cleaner did not have access to the server room or to the developers area of work.
Get the idea?
On an electronic level, all critical systems were duplicated with independent power, backup power from a generator that had backup power from a UPS system.
Firewalls separated the different LANs and the inside from the outside of the company. Each department ran on its own LAN with connections between LANs for only those people who absolutely needed them.
You can carry on to much lower levels of protection like making sure that all USB drives are encoded and encrypted so that they can only be used to move data between the companies own PC’s.
These sorts of security measures are actually very simple to achieve, they are not rocket science, nether do they have to cost you an absolute fortune.
Remember – Plan, Do, Check, Act – repeat as required. But always get advice from professionals. Believe me, the kid next door who builds his own computers and sells them doesn’t know enough about the threats to your company.
If you are in the UK, consider undertaking Cyber Essentials the government scheme to get businesses to a minimum standard to protect data. This is seriously worth while looking at; during the recent NHS attack, none of the NHS Trusts that had completed and been certified Cyber Essentials standard establishments were penetrated.
We trust that you have found this article interesting, please tell your friends.
One final thing, May 28th 2018 will see GDPR replace the data protection act and businesses within the UK will need to be ready for the change, don’t wait. Get started today.