Here's how to deal with an information security breach......

We all hope that we will not be the subject of an informations ecurity breach but the chances are that all organisations will have a form of data breach at some time. Your effective response to an information Security Breach may have an impact on your company's public profile and the costs involved with the breach.

Have a plan. Don't wait to have a security breach before deciding what you should be doing in the event of one. Have a strategy in place that you can bring into action as and when the breach occurs. Avoid Panic. Whether you are CEO, CIO, or any other senior officer, an information security breach can be alarming, but you should not panic. Evaluate the situation and decide on a plan of action as you would with any other business problem.

Secure the System. Take appropriate steps to contain and control the breach, to prevent further unauthorised access to or use of the personal information. You should preserve records and any other evidence. If the breach involves a lost or stolen computer or other portable media, secure any back-up files that show the information contained in the compromised system. It is helpful to make a mirror image of the records on your computer system or perform a comprehensive backup to ensure the preservation of information.

Organise a Response Group. You should take steps to ensure that other key members of staff and board members are notified of the information breach. Decide on a group who can make decisions to deal with the breach. the team should comprise of people who have technical expertise to deal with the situation and also who understand the nature of the information which has been breached and can advise on the information which may have been compromised or is at risk.

Retain Outside Advice. Retain outside advisors who have relevant expertise to help you decide upon a strategy, manage an internal investigation and comply with any notice or regulatory requirements.

Engage a Computer Forensic Investigator. Enlist the services of a firm specialising in computer forensics, cyber-crime response, internal investigations, and the preservation, analysis and production of electronic data.

Notify the relevant authorities. This should include the Information Commissioners Office if the breach is severe enough. Other organisations may include your insurer and the police depending on the type of breach.

Plan a Media Response. Any company which has been the subject of an information security breach should consider how they are going to deal with the press enquiries which may result. A severe breach which results in an ICO investigation will bring an interest in t the organisations which may need professional media experts to handle effectively. Any public statement should be factually accurate but reassure customers, potential customers and staff.

Review Your Company’s Privacy and Data Security Policies. If your company has adopted written privacy or data protection policies, review them to assess the company’s compliance with those policies in the context of the incident. Any response to the incident should be consistent with your internal policies. Also consider whether additional staff training is required to enforce the correct procedures when dealing with personal information.

Check Your Insurance. Check your insurance policies and other policies for potential coverage. Take the steps necessary to ensure that you do not lose insurance coverage by failing to give the required notice to the insurer or to meet any other procedural requirements. Make sure that you understand the company’s indemnity obligations under contracts with any third party involved in the incident, such as a client or vendor. If you need any help or advice, we would love to help. Please contact me for further information at ask@audit-and-risk.co.uk

ICO warns organisations about cyber security. Could you be at risk?

The Information Commissioners Office has suggested that organisations need to act to ensure that the information collected via their websites is secure. This is after a hotel booking website was hacked and the details of 3814 customers were accessed. You can read the full ICO comment here.

This isn't the first incident of websites being hacked for their customer details. In May 2014, Ebay was the subject of hackers and they advised all their account holders to change their password.

In April 2012, the British Pregnancy Advise Service website was hacked the name and logon details of the administrator leaked. At the time the ICO said “Ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."

Ernst and Young have researched cyber attacks and produced a report. Ernst and Young report. Cyber threats are regularly reported in the media and this indicates that attacks are becoming more sophisticated and persistent. If your organisation has not experienced an attack yet, it will no doubt be targeted.

PWC reports that cyber attacks have increased 41% over the last year and the report shows that most attacks are undertaken by a current employees.

Both the PWC and Ernst and Young report are interesting and show the importance of ensuring appropriate security and policies are in place.

If you would like some help identifying any potential weaknesses, please contact me at Lesley@audit-and-risk.co.uk. I shall be happy to help.

Printer problems?

HP produced a very interesting article on printer security and the potential risks, particularly with a network printer.  The link below will take you to the article.

http://h20435.www2.hp.com/t5/HP-BusinessReady/Is-your-printer-putting-sensitive-data-at-risk/ba-p/89690#.VEVg3fl4rtw

Data protection breaches and how they happen - but not to you if you follow the tips!

The news is filled with details of Data Protection breaches or, as they are sometimes called, information security breaches. Any breach of information creates the image of someone deliberately hacking your system to access your valuable data. Data protection breaches have increased over the last 10 years and the information being sought is the basic personal information about individuals which can be found in the databases and filing cabinets of many businesses and can easily be used for identity theft purposes.

In reality, breaches can just as commonly occur as a result of human error from inside the organisation. These usually result from a lack of training and understanding. This could be through the loss or theft of laptops, tablets, portable drives or work mobile phones. A common mistake is emailing information to the wrong address or posting it where it can be seen by the general public on the internet. In addition there are poor disposal procedures, especially for paper records where they are just thrown in the general rubbish rather than securely shredded. Old office equipment such a filing cabinets have been disposed off with the files still in them!

So top tips for keeping your data safe

• Ensure you have adequate passwords on your files and change them frequently.
• Limit personal information access to those who need it to do their jobs.
• Set up systems to ensure that database contents cannot be sent via email.
• Ensure that there is adequate training in place to support your staff.
• When disposing of old paper files, ensure they are shredded by a reputable company.
• When disposing of old office equipment, make sure that there is no personal information in it.
• Have a process in place to effectively deal with any breaches or compromises that occur.

7 Lessons to be learned from the Swale Council Email disclosure

In the news this week Swale Council admit that they sent the email addresses of 2500 residents to other residents in an email. See the link for the newspaper report.

http://www.kentonline.co.uk/sittingbourne/news/council-may-face-action-over-24879/

This is an easy error to make if there is insufficient guidance or training around emails.

So here are our 7 top tips to stop you making the same costly mistake:

• Who has access to your database?

One of the principles of the Data Protection Act is that the information should only be made available to those who need to see it.

• Who has the final approval for emails being sent out to the mailing list?

Who is checking the emails before the send button is being pushed? We all know how easy it is to make a mistake in an email and only realise just after you have sent it. My usual mistake is forgetting to attach a file.

• What's your email policy?

Does your email policy allow emails to be sent to large groups of people from your main system? If so there should be a practice in place which limits the number of addresses that any single email can be sent to. This will reduce the potential for error. This is different from emails being sent via a mailing package such as mail chimp because this would automatically ensure the security settings meet DP requirements. 

• How often are staff reminded of the email protocols?

It's great to have a process in place but completely useless if the staff who might need to use it are unaware of it. In a large staff team, it is good practice to have regular training around data protection and this should include information around email protocols. Records of the training should be maintained, including the date and the names of the staff who attended.

• Can you create controls in the email system which limit the number of addresses?

In larger organisations the IT system can sometimes be sophisticated enough to limit the number of addressees an email can be sent to. This is to stop emails being sent to large groups of people and considered spam.

• What happens following the breach?

How you handle a breach will be considered as part of any ICO investigation. Depending on the type of breach, dictates the action to be taken. You should try to notify those whose information is affected of the details of the incident and provide advice where necessary on what will happen next and any action the individual may need to take. Ideally have a written plan as to what you will do in the event of a breach as this will save time when it happens and you won't need to think what you should be doing.

• Do I need to report the breach to the ICO?

This depends on the extent and severity of the breach. How many people the information related to and what the information was. If it is the email addresses of 5 people then no you would not need to report it. If it is the health records of 5 people, then you would need to report it. At the time of a breach you need to seek advice to ensure that further breaches do not occur and ensure that the breach is dealt with professionally and effectively. 

Data breaches happen all the time, it is what you do as a result of one which will be of interest to the ICO.

If you would like to discuss any aspect of the above, please contact me at lesley@audit-and-risk.co.uk or give me a call on 07828 124588. I look forward to hearing from you.

How many Data Protection Breaches have leaked your information this week?

We all take for granted that our personal information is secure, don't we?

This week there have been a few data breaches where my information has been accessed or provided to someone who shouldn't have it. Most worrying was a professional body, to which I belong, who emailed the names and email addresses from their membership database to an outside email address. It's good that the disclosure was identified and that the organisation contacted me to let me know, but how did it happen? Why would a membership database need to be emailed to another individual? Most organisations now have some form of CRM so why didn't the person who needed the information already have access to it?

The other breach was where an organisation emailed a group of people and failed to hide the email addresses of the recipients from the other people being emailed. A simple thing but now all those other people have my email address and I didn't agree to that. Also it usually results in a load of spam emails. This breach could have been easily avoided by using the bcc option in the email.

So what did I learn? The professional body took the correct steps to report the breach to the Information Commissioner, kept me informed about the action they had taken and explained how the breach came about. This improved my confidence in them because they did quickly realise that they had made a mistake.

The other organisation didn't have a clue that they had breached the Data Protection Act. Apparently they have always done it this way and didn't know that there was a requirement to get permission to share this information. What will they do in future? I have no idea but the fact that they didn't have a clue about the requirements of the Act did not inspire confidence.

The Data Protection Act has been around since 1984, so there are no excuses for not being aware of it or what's required to comply with it. If you need some help or advice to ensure you comply, please contact me at lesley@audit-and-risk.co.uk. I would be very happy to help.

Are you protecting your customer information?

One of the most valuable things a company has is its information on customers and clients. Most businesses have information about past customers but also a potential pool of future customers through a mailing list.

So you have details which are valuable to your business but how secure is that information?

Can a member of staff download your customer database onto a memory stick?

Would you know that it had happened?

Can a member of staff email your database to themselves or someone else?

The ICO can prosecute staff who send emails containing personal information. A paralegal was sending emails to himself containing personal information about clients before he left one law firm to join another, the ICO prosecuted.

A car rental manager was prosecuted for selling information about customers, who had an accident, to a claims company. The car rental company picked up an irregularity and reported it to the ICO.

People are concerned about the security of their information and want to do business with organisations that hold their information securely and don't share it with other organisations. Do you systems ensure that your customer information remains yours and you know who has access to it at any time?

If you are concerned about your data security contact me at Audit & Risk Professionals and I will be happy to talk you through how we can help.

Data Protection - your access rights.

I have been giving some talks recently on the Data Protection Act and something that is mentioned frequently is when the Data Protection Act is used as an excuse not to provide information requested. Often people do not realise that they can request to see the information held on file from any organisation and the most the organisation can charge for this service is £10. So when you think a company has inaccurate information about or you want to know where they collected your information from, make the request.

An organisation then has 40 days to respond to your request. If the information is particularly difficult to collate they should explain this to you, they may also ask which specific information you are requesting. If the request is soon after a previous request they can refuse to provide the information on the basis that there would be no fundamental change.

If you need any advice, give me a call at Audit & Risk Professionals on 07828 124588 and I'll do what I can to help.

Top IT security threats

The Information Commissioners Office has recently issued a report on the top IT data security threats which have led to some data breaches and some monetary penalities for the companies involved.

The top eight computer security weaknesses highlighted in the report include:

• a failure to keep software security up to date;
• 
  
  a lack of protection from SQL injection;
• 
  
  the use of unnecessary services;
• 
  
  poor decommissioning of old software and services;
• 
  
  the insecure storage of passwords;
• 
  
  failure to encrypt online communications;
• 
  
  poorly designed networks processing data in inappropriate areas; and
• 
  
  the continued use of default credentials including password.

 You can read the full report at http://ico.org.uk/news/latest_news/2014/~/media/documents/library/Data_Protection/Research_and_reports/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf

The report is not aimed at IT professionals and is an easy read, highlighting the most common errors organisations make with some good examples.

How to collect personal information

When you collect personal information, whether it is about staff, customers, volunteers, or potential customers you must tell them how the information will be used and give them (in most cases) the opportunity to opt out.

The easiest way to do this is to put a "disclaimer" on the bottom of any forms.You need to be clear about the wording as this indicates what you plan to use the information for. You also need to be consistent with any opt in or opt out boxes.

If you are collecting information over the phone you need to still ask permission and when adding the information to your database, you should show the date and method of agreement. This is so that in future, if someone asks where you got their information, you have a record of it.

If you need help with the wording for a disclaimer, please contact me at Lesley@audit-and-risk.co.uk or  07828 124 588.

Should you be registered?

The Data Protection Act came into existence in 1984 and was updated in 1998. It is a complex piece of legislation with lots of requirements to it, not the easiest read! The legislation has therefore been about for 30 years so pleading ignorance about it's requirements isn't really going to be a defence.

So do you need to register with the Information Commissioners Office (ICO)? If you keep personal information for anything other than producing accounts, then the answer would be yes. For example, if you have a mailing list, then you need to register. If you have client records other than needed for accounts information, then you need to register. If you keep health information about clients, then you need to register. There are a whole host of professions which should be registered.

There is a simple assessment tool on the ICO website which will help you identify whether you need to be registered or not. http://ico.org.uk/for_organisations/data_protection/registration/self-assessment. Registering will cost you £35 and has to be updated annually.

Failing to register is a criminal offence and you can be prosecuted. Recently Becoming Green UK were fined £597 for not being registered and the business owner was also fined £597 and convicted for allowing the company to unlawfully process personal data without notifying with the ICO (section 61 of the Data Protection Act). In total, failing to register cost the owner £1194 and a criminal record, in addition to the bad publicity that has been incurred.

Clients are getting more sensitive about how their information is collected and used. Companies that take care of the information, explain how it is being used and provide detail as to how it is being shared are more likely to be respected and receive repeat business.

If you want to have a discussion about being registered (or not), contact me at lesley@audit-and-risk.co.uk or phone me on 07828 124588.