Customer Data Protection
Whenever someone says data security people’s eyes glaze over, it is understandable that the data protection act of 1998 is important not only to businesses but the people generally.
Do not worry, this report isn’t likely to depths about the data protection act, rather we would like to concentrate on what you can do to safeguard your information and the clients data.
This report applies to everybody in business whether or not you’re a 1 person band with client contact details stored on your cell phone, a store owner who does or doesn’t need to comply with PCI DSS or a multinational corporation. For those who have data about your organization and/or your customers held everywhere (even on paper) then that applies to you!
First Thoughts on Safety Considerations
Since Microsoft Windows has developed, among the critical issues that Microsoft has attempted to solve is that of safety. With Windows 10 they’ve taken a leap forward in protecting your data.
Lots of men and women appear to have focused on the functioning of the license for Windows 10 and what it allows Microsoft to perform; eliminating counterfeit software etc.. The truth is if you’re in business and your systems have fake software you’re opening yourself up to information loss in a major way.
Pirated software usually has added code inside that makes it possible for hackers to gain access to a system and therefore your information.
Whilst we’re on Cloud based systems, it’s worth recalling that unless you Vero FL Raccoon Removal encrypt your information on the cloud then odds are it might end up in the wrong hands regardless of how security conscious the seller is. New hardware is already being developed that will look after this for you, but it is not here yet, so be warned.
We’ll come back to security somewhat later after we’ve looked at the penalties you could incur by not accepting Data Security seriously.
This is all about BIG companies is not it?
Throughout this article I will fall in a couple of rulings in the ICO that show how important it is to take these problems seriously. This isn’t an attempt to frighten you, neither is it a marketing ploy of any kind; many individuals feel that getting “caught out” will not occur to them, in fact it can happen to anyone who does not take reasonable actions to secure their data.
Here some recent rulings detailing actions taken in the Uk from the Information Commissioners Office:
Date 16 April 2015 Form:Prosecutions
And here is another:
The organization behind Manchester’s yearly festival, the Parklife Weekender has been fined #70,000 after sending unsolicited advertising and marketing text messages.
The text has been sent to 70,000 people who’d purchased tickets to last year’s event, and seemed on the recipients’ cell phone to have been sent by “Mum”.
Let’s look at the easiest way in which you can secure your data. Forget expensive pieces of hardware, they can be circumnavigated in the event the core principles of data security aren’t addressed.
Instruction is by far the simplest way to protect data in your personal computer’s and therefore on your network. This means taking time to instruct the employees and updating them on a regular basis.
Here’s what we found – shocking practices
In 2008 we had been asked to execute an IT audit on an organisation, nothing unusual, except that a week prior to the date of this audit I received a telephone call from a senior person in that business, the call went something like this:-
“We did not mention before that we’ve had our suspicions about a member of staff in a position of authority. He appears to of had an extremely intimate relationship with the IT business that now supports us. We also suspect he has been finishing work not associated with our organisation working with the computer in his office. After we told him about the up-coming IT audit that he became agitated and the more insistant we had been that he must comply, the more agitated he became”.
This led in this people pc being the subject of an all but forensic review, aside from an un-licenced game, we found nothing and believing that the information we were looking for may have been deleted we conducted a data retrieval on the disc.
The results caused consternation and required us to speak to the ICO. We discovered that a lot of very sensitive information which didn’t belong on that drive. It looked like it had been there for a while and most of it wasn’t recoverable suggesting it was eliminated a while ago.
As it was the disk drive was replaced several months earlier and the IT firm had used the drive as a temporary data store for another companies information.
It just goes to show that formatting a drive and then using it will not remove all of the preceding data. No action was taken other than a slapped wrist to the IT company for poor practices.
So who should be educated?
The best way to demonstrate the value of information protection is using top-down learning sessions where direction is trained initially, followed by junior management followed by the staff. This way it is obvious to management in addition to the staff the information protection isn’t something that one person does it’s in fact the obligation of each employee in an organization.
A data breach will affect everyone within the company not only the individual responsible however, those ultimately responsible also.
The training isn’t lengthy or difficult, but it needs to be supplied by an authority in the area or a company whose expertise is beyond doubt.
In-house training on this topic isn’t recommended as it’s just an outsider who will not be taken lightly and that will have the 3rd party credibility needed to apply the importance of the situation.
Information Security is Everybody’s business
Information Security Awareness Training: Here is what should be covered:
Supply an easy-to-use online 40 minutes data security awareness training class for your employees to log on and find out best information security practices from.
Teach workers in easy non-technical speech, how and why hackers hack.
Instruct workers in the best ways of protecting your systems and the sensitive information you process.
Explain worker inherent responsibilities for protecting your company information and identifying and reporting suspicious activity.
Provide this information efficiently and effectively, an information security dangers risk assessment needs to be completed.
A decent dangers and risk assessment should answer the following questions:
What do I want to safeguard and where is it situated?
What is the worth of the information to the enterprise?
What other vulnerabilities are linked to the systems processing or storing this info?
What is the harm the company if this information were compromised? It defines exactly what your company needs protect and where it is located and why you will need to protect it in actual price impact terms that everyone should understand.
In a number of instances, the calls resulted in older people being duped into paying for boiler insurance they did not need.
In plain English, make it quite clear to every employee within the company exactly what their responsibilities are to the information that is within their grasp on a regular basis, explain how to protect it, explain why we will need to safeguard it and point out the consequences to the company of not doing this.
Most un-trained employees would likely feel that data security has little or nothing to do with them; however, if a data breach happened the business could get rid of business when the news hits the media, that may result in lay offs due to lost business. It really does fall on everybody in the organization from cleaning staff to the CEO to take responsibility.
This topic isn’t something that any training business can deliver correctly. You really should work with actual security experts, companies which are highly qualified and well experienced.
Regrettably, in the IT industry many people and companies have introduced themselves as IT Security Guru’s and many are just scare mongers having an agenda. They wish to sell one service whether or not you want it or not.
However, there are a number of very well qualified, genuinely helpful professional businesses out there.
In 2011 I was lucky enough to be in the eCrimes Wales when Richard Hollis in the RISC Factory talked. His presentation spoke to the crowd in a way that few others did this day, it established him in this writers mind as my go to person in britain on data security difficulties.
Why do I speed Rich so highly? Well his background is intriguing to say the least, a background in support for the NSA means he knows what he is doing and has more knowledge in this field than the average Joe. Additionally, it suggests that where other IT Security specialists see a problem, Rich sees a larger picture.
Obviously many other companies offer similar services and in the present economic climate it is better to shop around in case you want to.
First of all, watch and re-watch the movie (linked below) and find it is second part on YouTube, see that as well. Take notes during the movie and find those measures planned out in your mind, answer the critical questions about your organization, data and safety.
You can begin protecting your business data from external sources for two or three hundred GB pounds by installing the perfect sort of Firewall, with cloud established updates 24/7.
Quality Anti-Virus with built in Anti-Malware does not need to cost the company a fortune, but take advice. A number of these products slow down the computer down system so much that they have a negative effect on performance. Among the most famous of them (starting with N) is often sold in High Street electronics, stationary and consumer products shops as being “the best”; actually it’s the best profit margin rather than the very best product, it slows down the system and needs a particular piece of software to eliminate it completely!
Store sensitive information in an encrypted area of a RAID storage drive system with limited access control. A NAS drive is a cheap and efficient method of achieving this.
Do not store sensitive information on Cloud Based systems such as Dropbox, sure it is cheap and simple to use, so if you’re passing none crucial data such as images, logo’s and promotional material; great! If you’re passing your account to your accountant, a brand new product schematic into a machine tooling company etc. – use something else which has better security.
Nothing personal against Dropbox and similar products, but such as Microsoft OneDrive as it’s now both have been hacked before. Even though the safety has been enhanced dramatically, you ought not take the risk.
Eventually take advice from real pros when you have any questions. Individuals like Richard Hollis have committed their careers to safety. As they park up outside a business to get a meeting they’ve already analysed several safety considerations mechanically. When they walk through the front door they create a dozen calculations and risk assessments. Before they even sit down and speak to you about your concerns.
Layers: Security is about a layered approach. Consider it as an Onion. Here is an example at a tangible degree for a company that I used to work for several years back.
As you entered the building you couldn’t get past reception unless they “Buzzed you through” the safety barriers from the reception area. These were swipe card commanded for staff.
Swipe cards for employees allowed them access only to those places they were authorised to enter; so for example just IT support staff and a few programmers had access to the server space. Notice here that unlike some businesses the cleaner didn’t have access to the server space or to the programmers area of work.
On a digital level, all crucial systems were duplicated with separate power, backup power from a generator that had backup power from a UPS system.
Firewalls split the various LANs and the interior from the outside of the Business. Each section ran on its own LAN with relations between LANs for just those folks who absolutely needed them.
It is possible to continue to lower levels of security like making certain all USB drives are encrypted and encoded so that they can simply be used to transfer data between the businesses own PC’s.
These types of security measures are really very easy to achieve, they’re not rocket science, nether do they must cost you an absolute fortune.
If you’re in the united kingdom, consider job Cyber Essentials the government strategy to get companies to a minimum standard to protect information. This is worth while studying; throughout the current NHS assault, none of the NHS Trusts that had finished and been certified Cyber Basics standard establishments were penetrated.
1 last thing, May 28th 2018 will see GDPR replace the data protection act and companies within the UK will have to be prepared for the change, do not wait.