Bring your own device - and don’t lose data

Working from home and being able to take work out of the office makes working life easier but can be a nightmare for data privacy. With an estimated 56 per cent of employees reporting that they either very frequently or frequently stored sensitive data on their laptops, smartphones, tablets, and other mobile devices, the chances of confidential information getting lost or into the wrong hands are very high. 

Bring-Your-Own-Device (BYOD) is part of the modern workplace. It’s becoming more and more normal for business information to be stored in or accessed by devices that are not fully controlled by IT administrators, and the possibility of data breaches caused by personal devices that aren’t properly protected is also on the rise. 

Protecting business information on mobile devices can be as simple as encrypting files and/or password protecting the device - it won’t stop them being lost but IT admin will be able to selectively remove sensitive encrypted data and the chances of someone using stolen information maliciously are much smaller if it’s not possible to get straight into any files that may be sensitive. The issue is clouded when the device actually belongs to the employee and not the business, however.

Most businesses think nothing of allowing employees to use their own devices to access email, office calendars and contacts, and a strong BYOD policy is vital if company information is accessible on the go, via personal devices. 

Which devices are allowed?

It’s up to you to set the boundaries and specify what’s acceptable. If you only want to support employees’ personal Android devices and not iPhones or iPads, or vice versa, make that policy and stick to it. 

Enforce strict security rules

People don’t like having complicated passwords and lock screens - they get in the way of fast access to their devices and longer, more effective passwords are also easier to forget. If they are using their own mobile devices for work however, you can’t afford to leave them on a swipe and go setting. If your staff members want to be able to use their own gadgets for work too, they will just have to accept that they need to use a complex password to access them.

Banning apps

This also applies to corporate devices - social media browsing apps, email applications and VPNs or other remote-access software need careful consideration when you’re formulating a data protection policy. Although the devices are people’s own, they will have to consider business needs if they want the convenience of using them for work, and that includes not using apps or settings that could potentially compromise data security.

Businesses also need to consider what could happen if an employee leaves the company - you will have to have an agreed policy in place allowing you to remove any access tokens, e-mail, data and other access permissions.

Does your organisation have a BYOD policy? Do you have permission from your employees to delete information from their personal devices remotely when they leave, or if it’s lost/stolen? What safeguards are in place to ensure that staff don’t store sensitive information remotely? If you need advice on setting BYOD policies that keep your sensitive data safe, contact me and I will be delighted to provide you with guidance and advice.

9 cybersecurity fixes for businesses on a budget

For small businesses, a data breach can be expensive - it could even cost you your business. According to some studies, it’s been estimated that around half of companies are forced out of business within six months of a cyber breach.

One unfortunate trend that’s being picked up is that smaller businesses are increasingly becoming the targets of cybercrime - it’s not just major companies that are being held to ransom by hackers. It doesn’t help that a lot of smaller businesses rely on third-party services and growing amounts of computer equipment, both of which leave them ever more open to the threat of an attack.

It’s the big companies that make all the headlines, but this can be a factor in lulling smaller businesses into a false sense of security when in fact they are most at risk - more than 80 per cent of breaches are estimated to happen to small businesses. But with limited resources, how can you effectively secure your business against cyber threats?

Some of the solutions are obvious; for example 90 per cent of attacks can be avoided if a company uses basic measures such as firewalls, default passwords, VPNs and double authentication.  In addition, there are a few extra quick security fixes you can easily put in place to make sure everyone in the business does their bit to avoid a potentially devastating security breach.

1. Update your PC

Out of date software may not be supported or updated, leaving it open to threat. If you have any computers still running Windows XP, for example, get them upgraded - support and updates for Windows XP haven’t been available since last year!

2. Train your staff

Have a clear data protection policy in place and make sure everyone is clear about what they can and cannot store on their personal computers.

3. Keep sensitive data protected

Don’t use the same computer for storing sensitive data that you use for checking office email or surfing the web, keep a dedicated machine just for that purpose.

4. Review your stored information

Review the information that’s stored on your server(s) on a regular basis and make sure that confidential or financial data is properly protected.

5. Keep PCs well protected

Check that all your office PCs, laptops and tablets have automatic software and antivirus updates enabled and keep firewalls switched on.

6. Plan ahead

Put together a backup plan, which includes things such as who you need to call to arrange offsite backup if the worst happens, whether it’s hackers, a fire or flood, or physical theft of equipment. Keep a record of insurance policy details and what policies actually cover. 

7. Do your homework

Keep a close eye on computer logs and occasionally review them as they will prove valuable during an incident. Well maintained logs help you to understand what your computers normally do, which could help you spot hackers before they cause any damage.

8. Consider using a managed security service

Managed security services give you an extra layer of protection, and peace of mind that your business is as well-protected as a larger firm.

9. Support knowledge sharing

If we all share our actionable data on cyber breaches, it means that experts get an update on shared threats that exist. Knowing what’s out there gives the experts the opportunity to come up with an analytic approach to reflect the risk of cyber threats.

Do you have a security policy in place? If you’re unsure of how to protect your data, contact me and I will be delighted to provide you with guidance and advice.

Help, it's all gone Pete Tong (wrong)! What to do when a data breach happens.

I was at a conference the other day where the speaker said that information security is low on the list of a company's priorities until it goes wrong.There was a discussion about Talk Talk and how the weakness in their cyber security was well known in IT circles. How much would it have cost Talk Talk to make the necessary changes to the system? I am guessing significantly less than the £80m it has cost them in the four months since the breach.

So what is a data breach? Simply this is when personal information ends up somewhere it isn't supposed to. The big breaches that hit the press involves lots of people's information but in smaller companies it can be as simple as a letter intended for one person being incorrectly sent to someone else, a spreadsheet of information being sent to the wrong email address or a fax being sent to the wrong number. It should not take your organisation to lose lots of information before it takes action. Each breach is an indication that there is something wrong with your systems, whether that be the actual process followed, the equipment or failing to train the individual. Learn from it.

A report by PWC shows that almost all businesses had experienced at least one data breach incident in the past year, with 90% of large organisations and 74% of small businesses reporting a security breach in the survey. In addition to the reputational damage and the cost of "fixing" the weakness, there is the disruption to the business.

The most costly breaches are malicious or criminal attacks, such as hacking.

Negligent employees are the top cause of data breaches.

In many organisations, the same personal information is available to a number of different departments, this increases the potential of a breach as more staff have access. Personal information is a valuable business asset, yet we don't always treat it that way.

So what happens when it goes wrong and there is a data breach?

Here's your basic action plan:
1 - Can you get it back? Do you know where it is and can you retrieve it?
2 - Do you know what information has been breached, who it is about and what the information was? In this case you will need to consider whether the information that has been released could cause potential damage or distress to the individual. You may then need to contact affected individuals and inform them of the breach. You may also need to contact the ICO and notify them of the breach.
3 - Investigate and remedy how the breach occurred so that further breaches are avoided. This may involve specialist advice or skills.
4 - Contact the police if applicable.
5 - Continue to update those who need to know with information about the incident.
6 - Create a policy which shows how you will handle a loss of data. This helps everyone understand what they should be doing.
7 - Train your staff in data protection compliance so they understand the importance of good data management and security.

Please remember that these are the basics, I would always advise that you seek professional advice for your circumstances. Remember you have already made a mistake by losing the information, don't compound it by not dealing with the breach correctly.

If you would like to discuss your data protection arrangements then please get in touch. 

What's your score out of ten?

The ICO have recently issued an enforcement notice to the Alzheimers Society for various breaches of the Data Protection Act. There are 10 issues which the Alzheimers Society has six months to remedy. Although these need to be actioned by the Alzheimers Society, they apply to all businesses processing personal information. So here is the test, how many are you already doing?

1. Information is not kept for longer than necessary. Do you have a process in place to identify information which is no longer necessary and can be destroyed? Do you have a retention policy and a secure method of destroying all information that is no longer required?

2. There is mandatory data protection training for staff (and volunteers) who have access to personal information and refresher training at least every two years.

3. The training that is undertaken is monitored and recorded. You should be able to identify the staff who have attended and what the training course covered.

4. Policies and procedures relating to data protection and information governance are brought to the attention of staff (and volunteers) who have access to personal information. Do you have comprehensive data protection policies and procedures and can you demonstrate that they have been effectively communicated to all those staff (and volunteers) who have access to personal information?

5. Portable and mobile devices including laptops, mobile phones, memory cards and other portable media used to transmit and store personal data, the loss of which could cause damage or distress to individuals are all encrypted using encryption software which meets the current standard or equivalent.

6. Secure email accounts are provided for all staff (and volunteers) who use email to transmit personal information. This means a business account is available for all staff (and volunteers) and they are not using their personal email accounts for business purposes.

7. Secure storage is available for staff (and volunteers) who need to hold hard copy records which contain personal information. Is there lockable filing space for hard copy records?

8. Penetration testing is undertaken on the website on a regular basis and any weaknesses highlighted are remedied.

9. Appropriate security is implemented to protect information from being disclosed to those who do not need to have access to it, this includes to staff members, contractors, visitors and volunteers. This includes passwords, lockable cabinets, encryption, etc.

10.Where processing of personal information is carried out your behalf, for example, by a subcontractor, (IT support, HR, payroll etc) you must have a written contract in place which clearly states that the subcontractor will take steps to protect the information from accidental loss, damage or destruction. The contract should also cover the role of the subcontractor, what they can do with the information, what happens when the information is no longer required and that they will only act on your instructions. You need to make sure that any contract you enter into clearly states the responsibility for data protection.

So what's your score? How many of the above do you need to action to protect the personal information you hold and your company's reputation?