We supported SHL to run a compliant collective consultation process, following the need to...
Many people rejoiced on May 25th thinking talk of GDPR was finally over. However, despite the EU’s regulation coming into force, many companies are still struggling to secure their data against an ever-growing range of threats.
It’s estimated over 7 million data records are compromised each day and news of high profile breaches have been well documented with the likes of British Airways, Butlin’s and even the British Government falling victim.
And it’s not just organisations beginning with the letter B! Statistics show that self-reported data breaches to the ICO have increased more than 29% over the past year and these are 7 times more likely to be caused by human error than hackers. Small businesses are also the most likely victims, representing 58% of all cases.
We’ve highlighted the most common types of data breaches you should be aware of and the measures you can put in place to help prevent them:
1. Cyber-attack/criminal hacker – With technical advances, the ways in which cyber-criminals attempt to gain access to IT systems are becoming far more sophisticated and cunning. For most businesses it is not obvious that an attack has taken place until significant damage has been done or it comes to light by some other means (media, data subject, ICO). Cyber-attacks come in many forms and can include the denial of service (as per the NHS case), vicious malware to tie up systems and password attacks to intrude.
Prevention tips: Carry out a systems security audit, ensure you have up to date hardware and software, strong encryption, regular training and awareness for ALL staff on identifying attacks and minimising further risks.
2. Employee negligence/error – This can be something as simple as including the wrong person in the Cc field of an email, not checking recipients before sending sensitive data, attaching the wrong document to an email, losing devices and files or complacency when uploading/transferring data. We all make mistakes but your staff should understand the most important elements of your own information security and be familiar with your security awareness policies and procedures.
Prevention tips: Awareness amongst teams is key, along with robust governance policies and procedures, regular reviews and adopting a transparent open and honest culture of reporting errors early in order to learn rather than punish.
3. Insider threat - Employees know how your business functions, how sensitive and important information is accessed and what, if any measures you have in place to protect data.
Prevention tips: Appropriate and realistic training, security protocols to protect data and mitigate risk. Review and update awareness and governance policies, agreements and processes.
4. Phishing - Emails and similar messaging are now a common and necessary part of our working activities. These are the most popular target for criminals and yet most users remain complacent relying heavily on a business’s technical resources to protect them. Criminals are becoming more inventive and adopt seemingly legitimate credentials of companies such as insurers, banks, etc. mirroring email addresses making it harder to spot. They need to gain access to systems and data by simply encouraging you to click a link or download a malicious attachment – often disguised in zip files or disguised links to sites. Most businesses have experienced this type of attack previously and this is a high risk area.
Prevention tips: Ensure employees are not clicking on any unexpected attachments or sites, use up to date spam and firewall protection, deploy training and awareness.
5. Physical theft/exposure - Physical exposure or theft of data is an important threat. A data breach can be caused by the improper disposal of sensitive information – using a rubbish bin instead of shredding, not wiping drives or devices, discarding old data storage such as discs and USB’s without checking, leaving confidential documents in plain sight of visitors or unauthorised staff, or losing a mobile device such as a phone that can give access to data.
Prevention tips: Review security protocols, maintain asset lists and data inventories, encourage open reporting of concerns, check disposal processes/suppliers.
6. Ransomware - A type of malicious program that demands payment after being activated on a computer system (again, as seen with the NHS case). If the organisation fails to comply with any demands, essential data may be destroyed. Ransomware is normally inadvertently installed by a complacent user of the network or by weak and vulnerable software and security systems.
Prevention tips: Training and awareness, regular updates, incident reporting processes, firewalls and filters, monitoring and 3rd party controls.
7. Unauthorised access - Access controls both physical such as locks and virtual such as user profiles are designed to stop certain information from being seen by the wrong people. Any breach of these controls means that someone has gained unauthorised access to sensitive data, or potentially compromised business critical information.
Prevention tips: Secure devices when unattended, regularly review user profiles and activities, use event logs and monitoring to identify anomalies in access, lock and secure cupboards and storage devices containing sensitive data, review controls and check all visitor/3rd party/ supplier access to data (where is the backup?)
In summary, all employees are responsible for protecting the business from malicious attack. At Outset UK, we encourage a culture of early, open and honest reporting as soon as staff become aware, suspicious, or subjected to any of the above. This then becomes a priority and a matter of urgency for the responsible staff to allow the appropriate steps to be taken to mitigate any potential or further loss/damage/risk to the business. Encouraging this open and early recording of all potential breach activities, supported by realistic training and awareness to staff, we feel enhances our ongoing information and security protection and continues to raise internal awareness of the risks.
Outset UK has legal and operational expertise in all areas of data protection - including breaches, access requests and risk assessment and can review and advise on information governance policies/processes. We are more than happy to provide advice and support to your business ensuring you have the correct measures in place. Please contact kevin.nolan@outsetuk.com if you’d like to hear more.