Data Protection & Cyber Security – Essential, simple steps for keeping your business data safe.
It’s not unusual to presume the worlds of data protection and cyber security are one and the same. There are many areas in which these two industries do indeed cross over, particularly with how much of our lives are online and therefore how many of our personal details are used and stored in a digitally capacity.
In October, Information Commissioner Paul Vane hosted an interactive workshop at the Jersey Museum alongside Matt Palmer of CERT.JE as a part of the Cyber Security Awareness Month events, looking at the relationship between data protection and cyber security, and guiding and advising business owners with simple steps for keeping their business data safe.
If you weren’t able to secure a space on this fully booked session, don’t fear! We’ve put together a summary of the basic but essential steps to reduce risk and ensure you can recover your organisation if your network is compromised.
- Patch all your systems regularly
In cyber security, a ‘patch’ is a fix - an immediate solution to an identified problem. Businesses and organisations should regularly patch everything. Patch your website, your databases, and infrastructure such as firewalls and routers. Linux servers, mobile devices, CCTV systems and IoT devices need to be updated too.
Train, train, train. An appropriate level of data protection training and awareness for yourself, any and all staff, volunteers and executives is fundamental. All individuals with access to personal data need to be aware of what they can / cannot do with the information entrusted to them and what actions need to be taken if something happens. Training and awareness can help support your organisation in maintaining the highest data protection standards and trust of clients and employees.
- Implement multi-factor authentication (MFA)
Regardless of the system, a password should not be considered adequate on its own. Multi-factor authentication (or 2-step verification) is essential to protect user accounts and information.
Access to both data and facilities should be given on the principle of least privilege. For example, access to systems, personal data and building workspace, filing cabinets etc. should only be provided to those who require access in order to complete the tasks they are required to. Access should not be given to just anyone and it should not be given on the basis of ‘just in case’ or given access to all systems and areas because it is easier to do so. This could place your organisation and its assets, including the personal data it processes at risk.
- Control Privileged Access
In addition to the customer and employee-facing systems you operate, such as websites and email, you will have a lot of hidden infrastructure working hard for you. Admin accounts should be very carefully controlled, with rigorous use of MFA, careful access management, and a record of when an account is checked out for use, why and who by.
- Operate Effective Monitoring & Alerting
It is essential to be the first to know when something goes wrong. That means logging the correct data and monitoring it for anomalies that suggest a problem. Monitoring doesn’t have to be complicated or expensive. If you know which of your systems are critical, you can often outsource elements to a security supplier.
Have you considered what measures you have in place to keep your organisation and its assets, including personal data, secure? Measures could include how the building is physically secured, if certain rooms such as server rooms have extra security and privileged access, how filing cabinets are locked and who has access etc. Security should also include management of others who may have access to your premises such as cleaners, visitors, clients, suppliers etc. It is also really important to ensure you have undertaken relevant due diligence on your employees, suppliers, contractors etc. that you may be sharing or providing access to data or systems with.
- Manage your attack surface
Many attacks will start with a scan of your perimeter - this is everything someone without special access can see. You can do a lot to minimise this and make sure it looks boring to an attacker. If your network looks high risk and low reward, an opportunistic attacker will go elsewhere and a targeted attacker will find it harder to get in.
- Policies & Procedures
Having relevant policies and procedures documented to cover both data protection and information security is vital to ensure that the various processes and requirements have been captured so that all involved are aware and can refer to such, when necessary. Policies and procedures should be reviewed and audited against frequently to ensure the controls and process in place have been effectively implemented and are being followed as they should. They should also be refreshed on a regular basis to ensure they truly reflect reality and include any updates when changes to any processes are made. It is also important to ensure you have a business continuity plan documented and access to back-ups in place in case something should go wrong.
- Maintain Segregated Backups
How long would you survive without your data? For most, it’s not long. If data is available but corrupted, recovery is often even more difficult. Make sure your data is stored somewhere segregated from your primary network. This could be offline, such as a dedicated computer, storage array or USB stick. It could also be an online backup service or a cloud computing platform. Wherever you store it, remember to ensure that if usernames and passwords are compromised, they cannot be used to access and damage your backup data.
- Manage risk in your Value Chain
You can’t be completely responsible for your client’s — or even your supplier’s — security. However, you should recognise that the borders of your organisation are porous and take reasonable steps to reduce your risk.
- Retention & Destruction
A retention schedule is key to ensure you are not holding information, including personal data, for any longer than is necessary. A retention schedule should document the categories of data you hold and how long you are going to hold it for. If you have a retention schedule, are you following it and safely destroying data as and when required to do so? Many organisations have retention schedules but do not always comply with them. What method are you using to safely destroy the data? Is the destruction outsourced and have you checked the contractor process for safe destruction? How do you safely dispose of devices and electronic equipment that may hold personal data that you no longer require?
- Test your Incident Management Processes
When the time comes and the worst happens, you can significantly reduce the impact by managing the incident well. The first step is to ensure you have an incident or crisis management plan. Who would do what, and when? Guidance is available from CERT.JE and online from the UK’s NCSC.
- Verify your controls
Many successful attacks result from controls we intended to apply but didn’t fully — often because it was felt to be cost-prohibitive or inconvenient. Once you have implemented controls, make sure you know what exceptions you have — make them strictly time-limited, report them to the Board, and work over a few months to eliminate them.
If you encounter a cyber security related incident, there’s no need to be embarrassed. They happen all the time. However, by sharing we can protect others, and help ourselves in the future. Notify CERT.JE using the email address below so we can learn together as a community and stay one step ahead of the threat.
If a breach or incident includes personal data, you may wish to contact the Jersey Office of the Information Commissioner for support and guidance. You may also be required to formally report the matter and if so, should do so within 72 hours after becoming aware of the matter.
01534 716530 www.jerseyoic.org/report-a-breach