MATHEW THROWER, APPLICATION DEVELOPER
Imagine you owed a faraway friend some money and they’d asked you to pay them back. What you’d do, of course, is send them a wad of cash in a flimsy transparent envelope using a little known unregistered postal service. No? Yet this is effectively what thousands of people are still doing with their data every single day.
Not all data is worth money, of course, but it's surprising what has value outside your business. When criminals hack into websites they know the most dangerous data, like passwords, will likely come encrypted. But it’s still useful for them because simple details like names, emails and postal addresses have value when sold en masse. It’s used by spammers, scammers and identity thieves in their nefarious activities.
Even if that’s not enough to give you pause for thought, there are legal consequences to consider. In the UK, our data protection laws demand that personal data enshrines an individual’s right to privacy. Failure to secure this data leaves you open to prosecution and a large fine. In 2015 the Information Commissioner’s Office levied a total of £2,031,250 against non-compliant companies. When the European General Data Protection Regulation (GDPR) comes in to force in 2018, these penalties could become much more severe. The maximum fine under the new rules is twenty million Euros or 4% of global annual turnover for the preceding financial year, whichever is the greater.
Both these consequences apply even if you’re not dealing with large scale name and address data. Your internal business data has huge value to your competitors and cyber criminals know it. And what company doesn’t at least have some data lying around concerning finance and HR? Although not on the same scale as mailing list data, it still has value and it’s still covered by data protection law. Last year, for example, an employee of supermarket chain Morrisons leaked the details of thousands of staff.
In light of all this it seems incredible that people still make light of data security. It ought to be something high up on the priority list for any organisation. Yet it’s often still treated as an afterthought, dismissed as something that only happens to other people. Putting money into a plastic wallet, entrusting it to a stranger and hoping for the best isn’t good finance practice. If data has cash value, why give it different treatment?
Many businesses worry that they can’t secure data because it’s too demanding, too technical or too costly to do it in-house. If that’s the case there’s one easy step to take toward getting on the right path. Make sure you’re dealing with organisations which, like Response One, have ISO 27001 accreditation. This is a rigorously controlled and examined set of principles. So you can be confident that accredited organisations have the procedures and knowledge to ensure data security. Not only can you trust such people with your data, they will often help you secure it for yourselves, too.
However, in truth the attitude that it’s too hard to do for yourselves is a little outdated. Information security professionals are keenly aware of the threat. They've been working hard on easy to understand and implement solutions. It may be easier than you think to ensure basic protection is in place for your data.
First, make sure your infrastructure is sound. Put your network behind a firewall and get virus scanning software on all the computers connected to it. While doing this properly is the job of qualified IT staff, recent versions of Windows come with these basic protections built in. All you have to do is ensure they’re turned on and switch on Windows updates. It’s not brilliant protection but it’s much better than nothing.
Once that’s done, you can turn your attention to the data that lives on your network. Ask yourself whether everything that’s on there is essential to keep. Spring cleaning data like this has other advantages: it makes it easier to find important material and saves storage space. Once that’s done, look at what’s left and make sure that anything you’re concerned about is either archived away or protected by a password. Pretty much any file compression utility like WinZip or 7zip can do this.
You should do the same with any data that you’re sending around inside or outside the business. Send the passwords separately or communicate them by phone. For an extra layer of security when transferring files between companies use an SFTP system. This encrypts the data as it travels across the internet. And all those passwords you’re now generating? Record them in a password safe of some kind. There is good, cheap commercial software for this but it can be as simple as a password-protected spreadsheet.
It goes without saying that even these simple steps have to be rooted in good practice amongst staff. And good practice amongst staff needs encouragement by senior employees. For that to happen you need to start treating this stuff seriously. Push it up the agenda and make sure everyone at your organisation understands the importance of data security. Otherwise the ICO’s fine statistics for this year could include you.