Protecting against internal and external threats requires that organisations protect the integrity and confidentiality of the personal data they process and implementing appropriate organisational and technical measures is fundamental in achieving those objectives.
Cyber attacks are hard to contain and can quickly impact any organisation — whether a target or not.
On this page are some suggested practical organisational and technical measures that an organisation should consider to help protect the integrity and confidentiality of the personal data they process.
The leaflet also contains some basic but essential steps to reduce risk and ensure you can recover your organisation’s information if your network is compromised.
In cyber security, a ‘patch’ is a fix - an immediate solution to an identified problem. Businesses and organisations should apply patches as soon as they become available; that doesn’t just mean Microsoft Windows. Patch your website, your databases, and infrastructure such as firewalls and routers. Linux servers, mobile devices, CCTV systems and IoT devices need to be updated too. Consider that if a patch is released, the vulnerability may have existed for some time already and may have been exploited. If you then take a month to test and deploy a patch, that’s a long time during which the vulnerability could be used against you.
Focus on building a simple, repeatable process for rapid testing and deployment – and have an emergency patching process for critical vulnerabilities with known exploits. Otherwise, aim to patch everything as quickly as you reasonably can. Cyber Essentials recommends within 14 days of release.
A warning: If you are not patching a system because it’s at the end of life, that’s not OK. It’s like driving a car without insurance or servicing — that accident will happen, and the impact will be worse when it does.
Good organisations manage the lifecycle of their systems so that they are replaced before they are obsolete. If you have obsolete software or hardware that can’t be patched, you should isolate the offending system on your network. An early warning sign that your IT lifecycle management practices are inadequate and need review is if you are paying extended licensing agreements for old systems.
Train, train, train. An appropriate level of data protection training and awareness for yourself, any and all staff, volunteers and executives is fundamental. All individuals with access to personal data need to be aware of what they can/cannot do with the information entrusted to them and what actions need to be taken if something happens. Appropriately trained staff are your first line of support and can help your organisation in maintaining the highest data protection standards and trust of clients and employees.
Regardless of the system, a password should not be considered adequate on its own. Whilst there is lots of guidance on good passwords, many password complexity rules and forced resets can make life easier for an attacker and harder for the user, actually making systems less secure.
A good password provides some protection but can easily be compromised. Multi-factor authentication (or 2-step verification) is essential to protect user accounts and information.
By using two of something you know (such as a password), something you are (biometrics, such as a fingerprint), or something you have (such as a code to a mobile phone app) you can stop an attacker from gaining access even when they have obtained the password.
MFA should be used for network, device, and app access and personal services and accounts. Not all MFA is the same, and some techniques are better than others. Nevertheless, all methods significantly improve the security of a password used only by itself.
Having a password plus a PIN code or a separate memorable word is not multi-factor. Having to remember multiple things does not make you more secure; it makes it harder for your team.
Access to both data and facilities should be given on the principle of least privilege. For example, access to systems, personal data, building workspace, filing cabinets etc. should only be provided to those who require access in order to complete the tasks they are required to. Access should not be given to just anyone and it should not be given on the basis of ‘just in case’, nor should everyone be given access to all systems and areas because it is easier to do so. This could place your organisation and its assets, including the personal data it processes at risk.
In addition to the customer and employee-facing systems you operate such as websites and email, you will have a lot of hidden infrastructure working hard for you. The directories, databases, file systems and routers enable your IT to work. Whether this happens on-premises or in the cloud, someone has to configure, manage, and maintain these systems. If an attacker gets access to the accounts used to manage these systems, it can be game over — they have access to everything on your network. When hotel giant IHG failed to do this, their systems were compromised for fun.
Admin accounts should be very carefully controlled, with rigorous use of MFA, careful access management, and a record of when an account is checked out for use, why and who by. IT staff should not be able to use privileged accounts for email and web browsing. Solutions vary from costly enterprise tools and the functionality built into cloud solutions, to free key safes and online apps.
It is essential to be the first to know when something goes wrong. That means logging the correct data, and monitoring it for anomalies that suggest a problem.
Monitoring doesn’t have to be complicated or expensive. If you know which of your systems are critical, you can often outsource elements to a security supplier. We have many highly capable local firms right here in Jersey and plenty of solutions to help.
These include cloud-based firewalls and security monitoring services that keep an eye on your websites, or online services that keep an eye on your visible perimeter.
There are also more advanced security monitoring systems such as SIEM (security incident and event management) solutions and security defence capabilities such as a SOC (security operations centre), which can monitor systems 24 hours a day, seven days a week.
Have you considered what measures you have in place to keep your organisation and its assets, including personal data, secure? Measures could include how the building is physically secured, if certain rooms such as server rooms have extra security and privileged access, how filing cabinets are locked and who has access etc. Security should also include management of others who may have access to your premises such as cleaners, visitors, clients, suppliers etc. It is extremely important to ensure you have undertaken relevant due diligence on your employees, suppliers, contractors etc. that you may be sharing or providing access to data or systems with.
Many attacks will start with a scan of your perimeter - this is everything someone without special access can see. You can do a lot to minimise this and make sure it looks boring to an attacker. If your network looks high risk and low reward, an opportunistic attacker will go elsewhere and a targeted attacker will find it harder to get in.
In addition to network firewalls that sit between your network and the internet, you should run application firewalls that sit between your application and the internet. It is important to ensure your systems are built to a consistent standard and hardened using a reference such as the CIS Security Benchmarks. Don’t forget to turn off ports and services you don’t need, and only have systems face externally if necessary.
Having documented policies and procedures covering both data protection and information security is vital to ensure that the various processes and requirements have been captured so that all involved are aware and can refer to such, when necessary. Policies and procedures should be reviewed and audited frequently to ensure the controls and process in place have been effectively implemented and are being followed as they should. They should also be refreshed on a regular basis to ensure they truly reflect reality and include any updates when changes to any processes are made. It is also important to ensure you have a business continuity plan documented and access to back-ups in place in case something should go wrong.
How long would you survive without your data? Even if you operate primarily offline, how could you take payments? Pay staff? Produce the accounts? Buy supplies? File returns? And generally, manage your organisation? For most, it’s not long. If data is available but corrupted, recovery is often even more difficult.
Nothing will guarantee all attacks fail, so assume that one will succeed and ensure you still have your data. This includes both your business data and technical data on the configuration of your systems and network, so you can rebuild it if you need to.
Make sure your data is stored somewhere segregated from your primary network. This could be offline, such as a dedicated computer, storage array or USB stick. It could also be an online backup service or a cloud computing platform. Wherever you store it, remember to ensure that if usernames and passwords are compromised, they cannot be used to access and damage your backup data.
Finally, test your ability to restore and run from the restored data. A backup is no good if you can’t use it or if it will take three weeks to download it from the cloud — best to find that out now rather than when you need it.
We have recently seen attacks where a particular organisation was targeted by malicious emails from their customer or supplier. This is a lot of trouble for an attacker to go to, and they would only have done it if the target organisation could not be easily compromised directly.
You can’t be completely responsible for your client’s — or even your supplier’s — security. However, you should recognise that the borders of your organisation are porous and take reasonable steps to reduce your risk. This would include undertaking security assurance on suppliers to ensure they operate appropriate controls, notifying customers of issues and concerns, and passing on advice and alerts.
A retention schedule is key to ensure you are not holding information, including personal data, for any longer than is necessary. A retention schedule should document the categories of data you hold and how long you are going to hold it for. If you have a retention schedule, are you following it and safely destroying data as and when required to do so? Many organisations have retention schedules but do not always comply with them. What method are you using to safely destroy the data? Is the destruction outsourced and have you checked the contractor process for safe destruction? How do you safely dispose of devices and electronic equipment that may hold personal data that you no longer require?
When the time comes and the worst happens, you can significantly reduce the impact by managing the incident well. Bad incident management can quickly turn a drama into a crisis. Good incident management can improve customer and stakeholder confidence in you after an incident.
The first step is to ensure you have an incident or crisis management plan. Who would do what, and when? Guidance is available from CERT.JE and online from the UK’s NCSC.
Many successful attacks result from controls we intended to apply, but didn’t fully — often because it was felt to be cost-prohibitive or inconvenient. Of course, it is then likely that the same system or process is compromised. Once you have implemented controls, make sure you know what exceptions you have — make them strictly time-limited, report them to the Board, and work over a few months to eliminate them.
If you’ve implemented all these controls, you should be in a good position. But don’t rest there: verify them regularly through technical security testing or certification against a standard such as Cyber Essentials Plus. Look to practical, technical checks first and foremost. Some cloud services, such as Microsoft Azure, provide tools that can be used to compare your IT configuration against common standards and frameworks. That can be a great place to start.
What happens if something goes wrong? Can you identify if there has been a breach/incident? How do you know if something has gone wrong? Do your employees know how to identify and who to report to? What is your plan if something has gone wrong? Who can you contact for support and guidance and report to?
If the breach/incident includes personal data, know that the Jersey Office of the Information Commissioner is here to help, support and guide you. You may also be required to formally report the matter and if so, should do so within 72 hours after becoming aware of the matter if there is a risk to data subjects.
Jersey Office of the Information Commissioner
T: 01534 716530
www.jerseyoic.org/report-a-breach/
If it is a cyber security related incident, there’s no need to be embarrassed. They happen all the time. However, by sharing we can protect others, and help ourselves in the future. Notify CERT.JE using the email address below so we can learn together as a community and stay one step ahead of the threat.
If the matter is crime related, i.e. hacking, fraud etc. you may also wish to consider reporting to:
States of Jersey Police
T: 01534 612612