If you have personal data within your IT system you need to take appropriate technical measures to secure it. The measures you put in place should fit the needs of your particular business. However, they don’t have to be expensive or time consuming. Hopefully, the practical steps in this guide from the ICO will help you decide how best to manage the security of the personal data you hold.
1. Assess the threats and risks to your business
Before you can determine the right level of security for your business you will need to review the personal data you hold and assess the risks to that data.
As part of this consider all processes involved that require you to collect, store, use and dispose of personal data. Include how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach.
2. Get certified with Cyber Essentials
There is no single product that will provide a complete guarantee of security for your business.
The ICO recommends using a set of security controls that complement each other. Be aware they will require ongoing support in order to maintain an appropriate level of security.
The UK Government’s Cyber Essentials Scheme describes the following five key controls for keeping information secure. Obtaining a Cyber Essentials certificate can provide certain security assurances and help protect personal data in your IT systems.
The key areas covered by Cyber Essentials are your
Boundary firewalls and internet gateways
· This will be your first line of defence against an intrusion from the internet.
· A well configured firewall can stop breaches happening before they penetrate your network.
· An internet gateway can prevent users within your organisation accessing websites or other online services that present a threat or that you do not trust.
· Remove unused software and services from your devices to reduce the number of potential vulnerabilities.
· Older versions of some much used software have well documented security vulnerabilities. If you don’t use it, then it is safer to remove it than try to keep it up-to-date.
· Make sure you have changed any default passwords used by software or hardware – these are well known by attackers.
· Restrict access to your system to users and sources you trust. Each user must have and use their own username and password.
· Each user should use an account that has permissions appropriate to their role within the business.
· You should also only use administrator accounts when strictly necessary (e.g. for installing known and trusted software).
· A brute force password attack is a common method of security breach and could even be casual users trying to access your Wi-Fi so you need to enforce strong passwords, limit the number of failed login attempts and enforce regular password changes.
· Passwords or other access should be cancelled immediately if a staff member leaves the organisation or is absent for long periods.
· You should have anti-virus or anti-malware products regularly scanning your network to prevent or detect threats.
· You will also need to make sure they are kept up-to-date and that it is switched on and monitoring the files that it should be.
· You should also make sure you receive and act upon any alerts issued by the malware protection.
Patch management and software updates
· Computer equipment and software need regular maintenance to keep it running smoothly and to fix any security vulnerabilities.
· Security software such as anti-virus and anti-malware needs regular updates in order to continue to provide adequate protection.
· Keep your software up-to-date by checking regularly for updates and applying them. Most software can be set to update automatically.
· If your system is a few years old, you should review the protection you have in place to make sure that it is still adequate.
3. Secure your data in the office
· The physical security of equipment is important to consider as devices containing personal data could be stolen in a break-in or lost whilst away from the office.
· Ensure that personal data on your systems is protected against these types of threats.
· Prevent or limit the severity of data breaches by separating or limiting access between your network components. If you can confine the processing of personal data to a specific section of your network you may be able to reduce the scope of the required security measures.
· Ensure that the same level of security is applied to personal data on devices being used away from the office.
· Many data breaches arise from the theft or loss of a device (eg. laptop, mobile phone or USB drive) but you should also consider the security surrounding any data you send by email or post.
· Allowing untrusted devices to connect to your network or using work devices on untrusted networks outside your office can also put personal data at risk.
· Increase the physical security of your office including storing your servers in a separate room with added protection.
· Back-up devices, CDs and USBs should not be left unattended and should be locked away when not in use.
· Ensure that personal data is either not on the device in the first place or that it has been appropriately secured so that it cannot be accessed in the event of loss or theft.
· Good access control systems and encryption will help. Encryption is a means of ensuring that data can only be accessed by authorised users. Typically, a (strong) password is required to ‘unlock’ the data.
· Encryption comes in many different forms and offers protection under different circumstances.
• Full disk encryption means that all the data on the computer is encrypted.
• File encryption means that individual files can be encrypted.
• Some software offers password protection to stop people making changes to the data but this may not stop a thief reading the data.
· Make sure you know exactly what protection you are applying to your data.
· Some mobile devices support a remote disable or wipe facility. This allows you to send a signal to a lost or stolen device to locate it and, if necessary, securely delete all data. Your devices will normally need to be pre-registered to use a service like this.
· If you permit employees or other users to connect their own devices to your network you will be increasing the range of security risks and these should also be addressed with a policy on Bring Your Own Device (BYOD).
4. Secure your data in the cloud
· There are a wide range of online services, many incorporated within today’s smartphones and tablets that require users to transfer data to remote computing facilities, or “The Cloud”.
· Processing data in the cloud represents a risk because the personal data for which you are responsible will leave your network and be processed in those systems managed by your cloud provider.
· Therefore, you need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.
· Make sure you know what data is being stored in the cloud and the geographical location of those servers, current computing devices, especially those targeted at consumers, can have cloud backup or sync services switched on by default.
· Consider the use of two factor authentication especially for remote access to your data in the cloud.
5. Back up your data
· If you were to suffer a disaster such as fire, flood or theft you need to be able to get back up and running as quickly as possible.
· Loss of data is also a breach of the DPA.
· Malware can also disrupt the availability of access to your data. Known as ‘ransomware’ this type of malware can encrypt all your data and only provide you with the means to decrypt the data after payment of a ransom.
· You need to have a robust data backup strategy in place to protect against disasters but also malware, such as ransomware.
· Back-ups should not be stored in a way that makes them permanently visible to the rest of the network. If they are then they can be encrypted by malware or the files accidentally deleted.
· At least one of your back-ups should be off-site.
6. Train your staff
· Your employees may have a limited knowledge of cyber security but they could be your final line of defence against an attack.
· Accidental disclosure or human error is also a leading cause of breaches of personal data. This can be caused by simply sending an email to the incorrect recipient or opening an email attachment containing malware.
· Employees at all levels need to be aware of what their roles and responsibilities are.
· Train your staff to recognise threats such as phishing emails and other malware or alerting them to the risks involved in posting information relating to your business activities on social networks.
· Encourage general security awareness within your organisation. A security aware culture is likely to identify security risks.
· Keep your knowledge of threats up-to-date by reading security bulletins or newsletters from organisations relevant to your business.
7. Be aware of current issues
· Cyber criminals or malware can attack your systems and go unnoticed for a long time.
· Many people only find out they have been attacked when it is too late even though the warning signs were there.
· Check your security software messages, access control logs and other reporting systems on a regular basis.
· Act on any alerts that are issued by these monitoring services.
· Have the ability to check what software or services are running on your network.
· Be able to identify if there is something there which should not be.
· Run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities – make sure you address any vulnerabilities identified.
8. Make sure you have suitable procedures in place
· Good, well written policies will enable you to make sure you address the risks in a consistent manner, they should be integrated into current business processes.
· Some organisations do not have adequate levels of protection because they are not correctly using the security they already have, and are not always able to spot when there is a problem.
· Consider the actions you should put into place should you suffer a data breach. Good incident management can reduce the damage and distress caused to individuals. With the incoming GDPR you need to be able to notify the ICO within 72 hours of recognising a data breach.
· Review the personal data you currently have and the protection you have in place.
· Make sure you are compliant with any industry guidance or other legal requirements.
· Document the controls you have in place and identify where you need to make improvements.
· Once any improvements are in place, continue to monitor the controls and make adjustments where necessary.
· Consider the risks for each type of personal data you hold and how you would manage a data breach. This way you can reduce the impact if the worst was to happen. You should also have an acceptable-use policy and training materials for staff so that they know their data protection responsibilities.
9. Minimise your data
· Personal data should be accurate, up-to-date and kept for no longer than is necessary.
· Over time you may have collected large amounts of personal data. Some of this data may be out-of-date and inaccurate or no longer useful.
· Decide if you still need the data. If you do, make sure it is stored in the right place.
· If you have data you need to keep for archive purposes, but don’t need to access regularly, move it to a more secure location. This will help prevent unauthorised access.
· If you have data you really no longer need, you should delete it. This should be in line with your data retention and disposal policies. You might need specialist software or assistance to do this securely.
10. Outsourced IT
· Make sure your data is being treated with at least the same level of security as you would.
· Ask for a security audit of the systems containing your data. This may help to identify vulnerabilities which need to be addressed.
· Review copies of the security assessments of your supplier.
· If appropriate, visit the premises of your supplier.
· Check the contracts you have in place. They must be in writing and must require your contractor to act only on your instructions and comply with certain data protection obligations.
· Consider asset disposal – if you use a supplier to erase data and dispose of or recycle your IT equipment, make sure they do it adequately. You may be accountable if personal data gathered by you is extracted from your old IT equipment when it is resold.