Is the data you hold at risk of breach?May 3, 2018
The General Data Protection Regulation takes effect on 25th May 2018 and applies to all organisations processing and holding the personal data of ‘data subjects’ residing in the European Union, regardless of the company’s location.
As ‘Data Protection’ is the key component for GDPR compliance, a fundamental question you should ask as a business owner is “how can we help protect our data?”.
We now live in a digital age with a myriad of devices that we use freely at work, home and in the public domain but many of us are blissfully unaware of the threats that surround us. And unfortunately, it’s all too easy to let data slip into the wrong hands.
It’s therefore important to identify the potential risks you face when handling data and implement robust measures to secure it. In doing so, you will be less likely to suffer a data breach and its potential consequences i.e. a fine and/or jeopardising your company’s reputation.
Take a few minutes to read through these simple ‘data breach’ scenarios and consider whether any of them have, or could, relate to you. If nothing else it may stop and make you think.
Help – it’s been stolen!
You’re leaving work late (again!) and bundle the laptop on the back seat of the car before racing home. As you pull into the driveway, you take a deep breath and charge through the door waiting for the onslaught. Only when you return to your car later that evening, you discover your laptop has been stolen with all your company data on it. Help! What actions should you take to stop someone accessing your PC and how do you recover your data? Do you know?
A simple accident to a major disaster
From simply spilling a cup of tea on your device to arriving at the office to find a flood has destroyed your server, the inability to access your network files and the potential loss of data sends you into a blind panic. This needn’t be the case if you are proactive in backing up your data. This could be on premise, in the cloud or using a secure online backup. Your backups are essential and have to be carefully managed so don’t forget!
An office misdemeanour
How often do you forget to screen lock your PC when leaving your desk? Who knows how many people walk past your screen in the time you take to go to the bathroom or whether the delivery driver has seen confidential information as he deposits a parcel on your desk? If you haven’t got an automated screen lock set up on your PC you could be at risk. You wouldn’t leave all your personnel files in an unlocked cabinet so why leave your computer unlocked for everyone to access?
A member of staff walks out
IT/Access termination checklist
A member of staff has unexpectedly walked out of the company following an altercation. Do you have an IT/Access termination checklist in place to ensure the employee can no longer access sensitive and confidential data via their personal logins? This of course needs to be carried out in a timely manner following their departure. The checklist will cover all aspects of your business from network and email logins to system access and door entry codes.
Staff Exit Policy
You should also have a staff exit policy to ensure employees are aware of their responsibilities when they leave the company. This will include returning company property, providing managers with relevant passwords and access codes and transferring data/information pertinent to their role before their accounts are disabled.
Robust employment policies
By ensuring you have robust employment policies in place outlining the procedures employees should follow in situations such as these, it will minimise grounds for dispute and the likelihood of sensitive company information being leaked into the public domain.
Watch out for hacks
Ever experienced broadband issues?
You’re striving to meet an important deadline but due to broadband issues causing an entire day’s outage, you’re struggling to get the work completed in time. The next day you receive a call from your broadband provider who wants to carry out some diagnostic tests on your PC to investigate the issues you’ve been experiencing. The caller addresses you by name and has other information regarding your account so you give them access and watch as they install the diagnostics on your screen. Whilst working on your laptop and explaining their investigations over the telephone, the caller is cleverly gaining access to your bank account details and all your data files. The caller isn’t from the broadband call centre at all and you are now the victim of a phishing attack! Sound unlikely? But it’s at times such as these when we’re under pressure that we become more vulnerable to cyberattacks.
Common phishing and spear phishing attacks
Phishing and spear phishing attacks are becoming all too prevalent so ensure you are aware of the types of attacks that are out there. Cybercriminals are very clever in luring you into opening a link, logging into an account or divulging confidential information whilst posing as a friend, colleague or professional business to steal or threaten you for money.
Even an innocent click on an email link by an unsuspecting employee or opening an ‘infected’ advert when browsing the web can lead to devastating consequences. For example, the download of ransomware or malware which disables the device until you pay a ransom to the criminals to restore access.
It’s easily done so please don’t be fooled or let your employees be fooled. If you would like more information on what to look out for to avoid phishing and spear phishing attacks, then read our phishing blog.
The perils of public and home Wi-Fi
Beware of public Wi-Fi
You arrive early for an important meeting so pop into Costa for a quick coffee and a browse of your emails. You log into their public Wi-Fi using the hotspot passcode sent to your mobile as instructed but are you safe? The answer is ‘No!’. Always be suspicious of any public Wi-Fi link as cybercriminals can set up bogus links that look identical to the company’s which enables them access to your work files and company data.
So what can you do?
Apart from being vigilant when working remotely, you could set up a Virtual Private Network (VPN). By using a VPN to connect to a public Wi-Fi network, you’ll effectively be using a ‘private tunnel’ that encrypts all of your data that passes through the network which can help prevent cybercriminals from intercepting it.
Working at home, is it safer?
Unfortunately, you’re still at risk when working from home. A recent security issue was discovered with Wi-Fi devices (i.e. routers and WAPs) that people use at home and work. It surrounded the WPA2 encryption standard which allowed attackers to decrypt traffic sent over the Wi-Fi network thus stealing Wi-Fi passwords and gaining access to people’s networks.
Although attackers needed to be in range of the Wi-Fi network it was still a security concern so manufacturers released security patches for all devices using Wi-Fi communication, including PCs, Macs, tablets, phones, wireless printers, routers and Wireless Access Points (WAPs).
Manage your security patches and updates
Many kinds of security patches and software updates are released on a regular basis and need to be downloaded on your devices for them to take effect. Are you kept informed about security issues such as these or do you have an IT provider who can advise you and manage the patches and updates you need as a business?
So does the GDPR signal the end of remote working?
When working remotely whether out-and-about or at home you are increasing the likelihood of being hacked. We regularly log in to a ‘secure’ Wi-Fi network or platforms purporting to use ‘advanced security features’ but they are never 100 percent safe. By using this means of working you are undoubtedly increasing the risk of a data security breach.
Even by installing security defences such as firewalls, anti-virus, anti-spy and spam filtering software, there are no guarantees that your data will stay secure. End users are the largest most vulnerable target in most businesses. This is often through a lack of awareness of the cyberthreats and scams that are being carried out every day. Therefore, regularly training your employees on cybersecurity is essential.
When considering whether the introduction of GDPR signals the end of remote working, it’s important to weigh up whether the convenience of working remotely outweighs the risk of your company’s data being breached.
If you continue to work remotely you will need to put as many measures and practices in place to safeguard you and your employees from the threats you face. Think about introducing a ‘Remote Working Policy’ which will ensure all employees are following a standard protocol when working away from the office or even limit remote working to reduce the potential risks.
The GDPR may not stop you or your employees from working away from the office right now but having seen the potential threats highlighted in this blog, remote working should surely feature pretty high on your next board meeting agenda?
6 steps to help prevent your data from being hacked
To assess the risks you face from your current IT practices carry out the following six steps. This will form a key part of your GDPR compliance in securing your subject data:-
- IDENTIFY the potential cyber threats you and your staff face when accessing or processing personal data.
- Carefully REVIEW the IT measures and policies you currently have in place to manage those threats.
- SEEK specialist IT advice if you want to ensure you have the best solutions available to you.
- IMPLEMENT new or additional IT security measures and corporate policies if required.
- Regularly TRAIN your employees in data protection and cybersecurity.
- SCHEDULE timely audits to re-assess your data security processes and policies.
If you would like advice on your current IT set up and the security measures you may need to help achieve GDPR compliance, then please contact us. We’re happy to talk over the phone or we can arrange a visit to assess your existing network and practices. We will then work with you to identify the best solutions according to your business’s security and budgetary requirements.