Sunday 20 December 2015

Data loss - the obvious ways your business can avoid it



The top reasons cited for data loss from small businesses aren’t international hacking or grand scale cybercrime -  they are obvious, easily rectified things that would have been avoidable with a little advance attention to detail, proper training and a staff data security policy.

According to surveys, a staggering more than 78 per cent of organisations worldwide report that they have suffered from one or more data breaches in just the last two years. If you want to avoid your business being affected by careless data loss, you need to make sure that all employees - including you - are fully aware of the risks.

Surprisingly, one of the top reasons businesses lose data is that many employees (and their managers) still don’t understand the importance of not opening unexpected or suspicious attachments or clicking links embedded in spam emails. Other basic measures such as leaving systems unattended, visiting restricted websites and not changing passwords regularly also led to critical business data becoming at risk from data-stealing cybercriminals and malicious insiders.

It’s estimated that cyber criminals steal as much as US$1 billion a year from SMEs in the US and Europe. This is partly down to inadequate or poorly enforced data security policies, leaving companies at a risk of losing vital and sensitive data, as well as costing money through lost productivity, revenue and of course, if the breach becomes public, the business reputation too.

Working from home and being able to take work out of the office makes working life easier but can be a nightmare for data security. With an estimated 56 per cent of employees reporting that they either very frequently or frequently stored sensitive data on their laptops, smartphones, tablets, and other mobile devices, the chances of confidential information getting lost or into the wrong hands are very high. Protecting data on mobile devices can be as simple as encrypting it and/or password protecting it - it won’t stop the devices being lost but IT admin will be able to selectively remove sensitive encrypted data and the chances of someone using it maliciously are much smaller if it’s not possible to get straight into any files that may be sensitive.

Do you back up your data on a regular basis or just when you remember? Regular backups are a vitally important part of a good data security policy, so make it a regular daily, weekly or at least regular task. Automate it if possible so that it doesn’t get missed. Without an automated backup and recovery strategy in place, your business may well be devastated if the worst happens, and if you want to avoid unnecessary downtime, loss of revenue and more in the event of a serious incident, you need a contingency plan in place at all times.

Lastly - even if you have a top notch data security policy, it’s of no use unless you enforce it.
If you need advice on up to date data security procedures and policies that keep your sensitive data safe, or want to know more about staff training, contact me and I will be delighted to provide you with guidance and advice.

Sunday 13 December 2015

Email, your biggest problem? - it could be!

I had a query from a client this week regarding a subject access request from one of their employees. The employee had resigned and subsequently put in a subject access request for emails mentioning them in the previous six months. The client's belief is that the employee is hoping to find something in the emails which will show some prejudice against them by their manager.

As knowledge of the Data Protection Act increases, the many uses of it are being explored for lots of different reasons. It is increasingly being used by disgruntled employees to seek information which would support a claim for unfair treatment.

Regardless of whether the employee is right or not, every business should consider the consequences of staff putting comments (an opinion) of any sort into an email, unless it is a professional opinion which can be backed up.

So what's the upshot of this case? If there is anything that is contentious in the emails, the employee may have a case against the organisation and resolving that could be a costly exercise both in terms of time and money. How many organisations can afford to defend a claim in these circumstances?

Ultimately, this is about ensuring that staff have adequate training to ensure that they are not putting themselves or the organisation at risk of litigation. The amount that it costs to get the staff trained with regard to email etiquette as opposed to the amount that will need to be paid out in compensation or legal defence costs is minimal. Contact me if you would like to talk about our training programmes. 





Sunday 6 December 2015

Are you leaving your information lying about - literally in this case!



When you’re entrusted with sensitive information about clients and customers, you owe them a duty of care. This means that you should look after their data properly, and not, like a Welsh home care provider in 2013, accidentally drop their files on the pavement and leave them there.

The Neath Care organisation was found to have breached Data Protection Act regulations after the files of 10 vulnerable and elderly people were found lying on a street in Neath, Port Talbot. The paperwork contained details about some of the people being cared for by the company, including sensitive health-related information, individual care plans and more.

An investigation by the Information Commissioner’s Office (ICO) into the incident in August 2013 revealed that Neath Care failed to provide their workers with any training or guidance about how to deal with sensitive data, or how to ensure that clients’ personal information was properly handled and kept secure when it was taken outside of the office. 

The investigation also revealed that there was a  lack of basic monitoring at Neath Care which led to the company only realising they had mislaid the paperwork after a member of the public reported it to them.

The ICO Assistant Commissioner for Wales, Anne Jones, said: “Nobody expects to find their sensitive personal information lying on the pavement. Taking this type of information outside of the office is an inherent part of running a home care provider. But, the fact that Neath Care did not account for this fact by providing their staff with guidance on how to handle information in this setting, is alarming.
The provider must now improve their practices in order to protect the vulnerable people they serve. This will include introducing new guidance and training for their staff to make sure people’s information is kept secure and introduce a procedure for keeping a track of when personal information is taken off site.”


What would you do if you lost important and/or sensitive personal information like this? Would you know about it straight away? Do you have policies in place informing staff members how they must take care of information that’s taken out of the office environment, either in hard copy files or on a computer or memory device?

To avoid getting into this sort of situation, and potentially being fined by the ICO, it’s vital that all businesses have a policy for dealing with sensitive material. If you’re unsure of how to protect your data, what to include in your staff policy or how to train your staff, contact me and I will be delighted to   provide you with guidance and advice.

Sunday 29 November 2015

What is your process for checking outgoing email attachments?



This case really showcases the importance of keeping track of all of the information that comes from your business!

On 2 August 2011 a member of the public reported that they had received an email from HMP Cardiff with a file accidentally attached that contained the details of 1,182 inmates. As if that wasn’t bad enough, it wasn’t the first time the mistake had been made - on 4th and 5th July 2011 the prisoner details had been sent to two other unintended recipients who hadn’t yet contacted the data controller or the prison. 

A total of three emails with the attachment had been sent to three different individuals, after a new prison booking clerk had been arranging the prison visits. The clerk had only meant to email a family member about a visit but had accidentally pasted the text file as an attachment. All three mistakes were made by the same clerk, doing the same thing by accident. Because the file had to be manually cut and pasted on a daily basis onto a disk, and then saved onto a database, the paste action had picked up the last file from the clipboard instead of the correct one and accidentally sent the sensitive data - three times.

Once the mistake had been discovered, the police became involved and each recipient was asked to confirm in writing that the message had been deleted and not shared. The police even accessed their email accounts to make sure that it had been fully deleted. 

HMP Cardiff has since put in place measures to stop this ever happening again; existing training and on-going support is now topped up with monthly checks and the data transfer procedure has been changed so that rather than a disc, an encrypted memory stick is used for data transfer. And instead of copying and pasting it to the stick, staff are told they have to locate the text file and use the ‘send to’ function, which stops it being left on the clipboard to be pasted where it ought not to be.

Most of us would cringe, just thinking about a mistake like this - how many times have you attached the wrong document to an email or not attached it at all? When you’re dealing with sensitive data though, the repercussions can be extremely serious. The National Offender Management Service was fined £140,000 for the breach.

This error, made by an inexperienced member of staff, would not even have come to light if the third person who had received it hadn’t realised the seriousness of the mistake and reported it. Is it possible that this sort of thing could happen to you? What measures do you have in place to prevent sensitive data being accidentally shared with the wrong people?

Do you have a contingency plan in place for emails, and for protecting sensitive information? If you need advice on procedures and policies that keep your information safe, contact me and I will be delighted to provide you with guidance and advice.