Data Protection and Cyber Security

1. Summary

 

There’s no doubt that technology makes life a lot easier for the average business. But have you ever thought about how you’d run your business if you lost the data and information you now hold electronically?

 

Think about it. Your laptops, computers, tablets and smartphones all contain a lot of your business critical data, as well as your customer’s personal information, and details of the online accounts you access. A cyber-attack can put all of this at risk.

 

And it is not just a big business problem. According to the National Cyber Security Centre, if you are a small or medium sized business, there’s around a one in two chance that you’ll experience a cyber security breach and if you’re a micro business it could cost you around £1,400.

 

So - rather than acting with hindsight, why not use a number of affordable and easy to implement measures to reduce the risk of criminals gaining unauthorised access to your information? Or worse disabling IT systems for monetary gain.

 

This guide starts with a quick read for reference followed by more detailed information for businesses that are interested.

 

2. Advantages of cyber security

 

What are some advantages of effective cyber security?
 

  • Diminish risk: identifying and plugging gaps in your security defences helps minimise the risk to your business and reduce disruption if disaster happens
     
  • Save costs: using fire walls, anti-virus software, password protection, software updates, system backups, and limiting system access reduces likely recovery costs
     
  • Limit damage: a pre-agreed disaster recovery plan will allow everyone to react knowledgably and quickly to reduce disruption and enable shorter recovery times
     
  • Peace of mind: secure systems protect sensitive data whilst giving employees flexibility, customers confidence, and you compliance with industry regulations

3. Quick advice

 

In reality, the vast majority of security problems are the result of deliberate or accidental actions by authorised users. Whilst any reasonably secure system will be resistant to casual random external attacks, most security breaches result from employees.

 

Risks include opening rogue emails, looking at an infected web site, connecting an infected personal device to your network or processing a fraudulent order.

 

This is why you should consider developing formal policies that cover:

  • managing cyber security risk,
  • upskilling with cyber security training,
  • and planning for an attack with a disaster recovery plan.

Start by understanding what is of value to your business, how it could be compromised (lost, altered, misused) and what the potential fall-out to your business would be.

 

It’s best to think beyond the risk to hardware and software and include all the information you hold, shared knowledge repositories, and possible impacts on your finances.

 

4. What to protect

 

Consider how to protect:

  • Confidential or sensitive customer information
  • The day-to-day operation of your IT system and website
  • Disruption of operations
  • Threats to your finances
  • The possibility of extortion
  • Possible exposure to regulatory action or negligence claims
  • The inability to meet contractual obligations
  • Threats to your reputation and a damaging loss of trust among customers and suppliers

When you know what is at risk (your most important information assets), what effect the loss of those assets will have on your business, and how much it is realistically worth you spending to prevent that loss, then you can devise the most cost-effective security solution.

 

Think CIA - maintaining Confidentiality, Integrity and Availability of information.

 

Then consider the four common methods of attack to mitigate against:

 

  • Phishing: the use of bogus e-mails and websites to trick you into supplying confidential or personal information that can then be used for fraudulent purposes
     
  • Ransomware: the highly publicised WannaCry attack, particularly on older NHS computers, graphically illustrated the growing threat posed by this type of malicious software that encrypts some or all of the files on your computer and then demands payment for these to be decrypted
     
  • Spyware: technology that covertly gathers information such as keystrokes, passwords and other confidential data without your knowledge, which can then be used for identity theft or fraud
     
  • Zero-day attacks: while you wait for the software developer to send out a ‘patch’ to fix a software vulnerability, your data is at the mercy of cyber criminals who can exploit this weakness before it is resolved
     

5. 10 easy steps

 

  • Establish an information risk management approach that identifies the security risks your business faces and the policies for dealing with these
     
  • Use anti-virus and anti-malware software to protect against threats and ensure that it is updated regularly
     
  • Develop a policy for removable media that limits the types used and ensures that all such media is scanned for malware before importing it on to your other business systems
     
  • Apply rigorous patch control – ensure that you always have the latest version of software products and that you promptly install all critical patches and updates that are issued by product suppliers
     
  • Manage user privileges – only give users the privileges they need to do their job and monitor their activities, particularly those involving access to sensitive information
     
  • Promote user awareness by including security policies as part of employment terms and conditions, and ensure all users receive regular training on the cyber risks they face
     
  • Scan inbound and outbound data traffic and analyse system logs in order to detect any unusual activity that could indicate a malicious attack
     
  • Take account of home and mobile working by developing procedures that support mobile working or remote access to systems and train users on the secure use of their mobile devices in locations away from your office
     
  • Put a business continuity plan in place – no system is 100% secure so plan for the worst-case scenario and clarify the individual responsibilities to get you back to ‘business as usual’ as quickly and painlessly as possible
     
  • Keep things simple and cost effective – do as much as you consider necessary to protect your business, and to reduce risk to a level that you are comfortable with, whilst balancing the likely cost against the projected risk

6. Key considerations – internal

 

IBM’s Cyber Security Intelligence Index found that 95% of all security breaches involve some level of human error, highlighting the importance of educating staff in the best cyber security practices.

 

Staff policies

 

Develop acceptable usage policies that clearly define what behaviour is expected and what is not acceptable for all users with access to your systems. This should be part of your terms of employment and understood by all staff. As with any HR issue, strike a balance between practicality, trust and control.

 

Legal requirements

 

If you hold personal data on clients, employees or other individuals you will need to conform to the General Data Protection Regulations (GDPR) and register with the Information Commissioner’s Office (ICO). This requires you to implement adequate security measures to protect the privacy and integrity of personal data wherever that data is held.

 

Standards

 

By certifying to the 27001 standard you can demonstrate to customers and business partners that you take cyber security seriously, and indeed some procurement exercises (particularly in the public sector) will require you to prove you are fully certified. Use third party audits to ISO/IEC 27001 to help you establish that any cloud supper has the correct security controls in place.

 

7. Key considerations – protection

 

Anti-virus software

 

It is best to use well-known anti-virus software to scan your computer and delete any viruses or other types of malware it finds. To clarify, a virus is a computer program capable of reproducing itself in systems, which it infects and, when executed, produces a range of side effects including serious corruption and destruction of files and systems.

 

Whilst malware is a generic term that covers a range of software programs designed to attack, degrade, infiltrate or prevent the use of an IT system or network. These can include not only viruses but also worms, Trojan horses, spyware and ransomware. You should ensure that the software is updated daily, and recognise that it is only a partial solution since it cannot stop all malware.

 

Firewalls

 

Use a firewall to create a barrier between your (trusted) network and the (untrusted) Internet, so it can block anything dangerous. And if you are using a cloud supplier, make sure you ask what protection they provide and how often they update it. Most cloud data centres will employ the latest measures in security precautions, including biometric access controls and multi-tiered security perimeters.

 

Access control

 

You should only allow authorised people to access your network. There are many ways to achieve this, but simplistically it’s akin to maintaining a list of authorised people and using unique passwords to verify the people who are on the list. For many business purposes, an enforced strong password policy will provide adequate user authentication. Make sure users create a strong password, and the business stores the passwords securely.

 

Passwords

 

There is some debate on what makes a strong but memorable password. But good practice suggests using a phrase of at least 16 characters that mixes upper and lowercase characters, numbers and punctuation/special characters. Where enhanced levels of access control are required then the control system can also require the user to be in possession of a token, known as two factor authentication.

 

8. Key considerations – access

 

Managing user privileges

 

Providing users with more system privileges or data access rights than they need to do their job can lead to significant problems if their accounts are misused or compromised. So unless they are the system admin, all employees should have limited access to reduce the spread of infection should there be a breach.

 

Encryption

 

If you use a wireless network for accessing information held on mobile devices, consider using a program that can scramble data or requires a password or encryption key to unlock it.

 

Anomaly detection

 

Small companies might be able to manually analyse their network logs, but most would benefit from log management software, or Security Information and Event Management (SIEM) software. The latter automatically analyses multiple sources of security information and log data from firewalls, intrusion detection systems and anti-virus software.

 

Mobile Device Management (MDM)

 

If your business allows or encourages employees to bring their own devices into the workplace, this can expose your systems to uncontrolled infection. MDM centralises the security-related controls for smartphones, tablets and other mobile devices. Security features include the ability to configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock devices that have been lost or stolen.

 

Penetration testing

 

Penetration testing involves trying to break into your own network to test its resilience. It doesn’t merely seek vulnerabilities, it attempts to exploit them. It also looks to exploit your staff, since they are generally considered to be the weakest link in all security. Penetration testing can be done by in-house staff or, more commonly, by specialist companies.

 

Patch control

 

It’s essential that you always have the latest version of software products and that you promptly install all critical patches and updates issued by product suppliers. Patching means applying available updates for operating systems and applications such as browsers, plugins and desktop applications. Performing these updates will deliver a multitude of revisions to your computer, such as adding new features, removing outdated features, updating drivers, delivering bug fixes, and most importantly, fixing any security vulnerabilities that have been discovered by the supplier.

 

9. Key considerations – cloud

 

Storage and data backup

 

Before choosing a solution for storage and backup, it is important to assess your business needs now and in the future. As a rule of thumb, you should allow for at least 20-30% excess capacity.

 

Using the cloud

 

Accessed over the internet, a cloud based backup solution provides unlimited backup capacity, maintained and managed by a third party, on a pay-as-you-go basis. It remains the responsibility of the business to ensure that the backups are made, although increasingly automated backup solutions are engaged which will back up systems daily (or more frequently) depending on the requirements of the business. The history of backups is then retained online in case restoration of data is needed.

 

In a world which is increasingly reliant on data and in the advent of the increase of cybercrime, even the smallest organisation should invest in an automated backup solution as manual backups are mostly famous for not getting done.

 

Know what to back up and when

 

It is important to determine what is to be backed up, and how often. It may be tempting to say “everything, all the time” but in reality, few organisations need that level of backup. For example, if a strict policy is adhered to of keeping all important data on servers rather than individual users’ local hard disks, the loss of trivial data (to-do lists, personal correspondence and the like) on those hard disks may be an acceptable price to pay for reducing the complexity or volume of backups.

 

Timing of backups is also important to minimise their impact on systems performance. If it is not critical that they are absolutely up-to-date, they can be done overnight or during other periods when usage of your network and servers is low, so their activity doesn’t slow everything down.

 

10. Recommended action points and tips

 

  • Take a holistic approach to security: Identify and address risks to the business and people, not just technical IT risks
     
  • Prepare a security plan: Identify what is valuable to you, how it could be compromised, and how the risks can be reduced to an acceptable level
     
  • Policies and procedures: Create acceptable usage policies and make sure everyone with access to your systems signs and follows them
     
  • Secure external services: If you provide web services, make sure they are properly secured and separated from internal business systems
     
  • Keep it simple: Don’t implement complex security systems without careful assessment of the benefit against the cost
     
  • Review and update: Always keep your business continuity (disaster recovery) plan and all software and processes up to date