27th April 2018
Clearly, data is vital for most businesses, but if this private information is stolen or breached it can have deeply damaging consequences. Not only might it reveal important financial and trade secrets, it can damage your company’s reputation and infringe on the privacy rights of your customers, employees and supply chain partners. While this is already a concern for businesses, it’s soon to become more pressing with the introduction of the General Data Protection Regulation on 25 May 2018, which replaces the current Data Protection Act 1998. With fines set to increase significantly, it’s important to guard against data protection breaches – watching out for these pitfalls that could damage your business.
A common method for stealing data, ransomware is malicious software that enables criminals to target your business, capturing vital information and holding it for ransom until you pay for its safe return. This can happen just by clicking on the wrong link or opening a virus-infected file and can lead to your business being paralysed. The best way to avoid ransomware is to have effective firewalls and virus checkers installed. Having a backup server will also enable you to reload your system in the event of it being hijacked – reducing the impact of an attack.
To avoid ransomware, you should look out for emails that appear suspicious, are unexpected, unfamiliar or have inconsistent email addresses (particularly if a different email address appears when you hover a mouse over). Poor grammar, spelling or strange wording can also be an indication of fraudulent activity. If you have suspicions about an attachment or link purporting to be from a contact, call them to double check before opening it.
Phishing is a type of fraud that’s often used to target businesses and individuals. It involves someone pretending to be from a company such as a bank, building society or utilities provider, and then asking for your bank details or security information. You should never reveal bank account or security information to someone who has contacted you. If in doubt, call the provider in question and check the request is real before revealing any information.
Spear-phishing uses the same approach as phishing, except where phishing adopts a scattergun approach, spear-phishing is targeted: fraudsters choose a specific individual in order to access information. It can also take place when criminals study the communication style of a business employee and then mimic it to contact clients and obtain their financial details. Effective virus protection can help protect your business. Also, notify all clients that they should only reveal account information to a specific contact within your business in specified circumstances (such as in person or on the phone).
As companies become increasingly mobile and flexible in terms of technology, ‘bring your own device’ (BYOD) describes when employees use their own mobiles, iPads or computers to access their business’s network. Although a useful option to reduce equipment costs and increase mobile working, it can be dangerous if employees’ devices aren’t protected by your company’s security system. Devices should be effectively monitored and managed by restricting employees to certain devices or applications. Those who use their own devices must always have it secured and encrypted by your IT technicians first to ensure the device can’t be compromised or hacked.
A clear pitfall in data security is the possibility that hardware can fall into the wrong hands. With more employees transporting laptops and other mobile devices to and from work, hardware can sometimes be lost or stolen. Without the right security features in place, this can be highly damaging for businesses. To reduce this risk, it’s important to clarify company protocol regarding hardware transportation, and implement safety features that will restrict access if a device is stolen.
Similar to hardware theft, hardware can also be misused. If an employee leaves their desk and fails to lock their computer or mobile device, others could easily walk up and access information. To guard against this, it’s important to make clear in your business policies that all devices should be locked before employees step away from their workstations.
We’ve all seen people working on their laptops or reading printed documents on a train or in a café, while other curious commuters or coffee drinkers peer over their shoulder. This ‘shoulder surfing’ could lead to a serious security breach. As printed or on-screen documents can easily be read by others, it’s vital employees know not to open or read any sensitive information in public to make sure you don’t fall foul of data protection laws – or reveal company secrets.
Failure to correctly dispose of sensitive information is another hazardous data protection breach, and it applies both to printed and online documents. Employees should avoid leaving confidential printouts languishing in bins and should always shred sensitive printed documents rather than tearing them up. Similarly, documents stored on a computer or mobile device should be deleted and then removed from the trash folder to ensure they can’t easily be retrieved.
To ensure data is securely protected, confidential information should have access restrictions. Privilege misuse occurs when somebody accesses information that they shouldn’t. That could be an employee, an external contractor or IT technician. Your company’s network system shouldn’t be available to all; information should be protected with privacy features and only those with a clear need should receive access permissions. You can ringfence sensitive files with passwords – and this is something even small businesses should adhere to in order to ensure employee, customer and other data is protected from privacy breaches.
Similarly, employees should not share each other’s computers and mobile devices as this can undo the efficacy of creating security clearance levels.
There have been a number of well-publicised ‘fat finger’ horror stories in financial services, with employees accidentally executing vast trades by pressing the wrong button on their computer. However, fat finger syndrome can affect any business – whether by ordering an incorrect trade or sending out a sensitive email to the wrong recipient. Having a recall function in your email system can mitigate the latter to some degree, but the best way to combat fat finger syndrome is to embed best practice techniques in your business; adding email addresses only once an email has been proof-read, double checking all recipients, stating confidentiality levels and making clear if emails or attachments should not be forwarded to others.
Ex-employees have in some cases been the instigators of serious data breaches, for example when a former Ofcom employee stole six years’ worth of revenue and spending data and offered it to UKTV. Some employees may feel entitled to take information with them – from contact databases to trade secrets. To prevent this, start by making it abundantly clear in their terms of employment that this is forbidden, and explaining that there may be legal consequences. Once an employee has given notice, you should consider restricting their access to specific data and revoking their access privileges. You can also check whether large amounts of data have been downloaded through their user profile. As a preventative measure, some companies also block USB and firewire ports on PCs and laptops to ensure confidential information can’t be downloaded and stolen.
Industrial espionage is when an employee or visitor specifically targets your business’ confidential information. Businesses that fall victim to industrial espionage are rarely willing to go public about it so statistics are hard to come by. Nevertheless, anecdotally it appears to be a bigger problem than might otherwise be assumed, and you should take appropriate precautions. Best practice protocols include ensuring that visitors are only given access to meeting rooms and do not walk through employee areas. Additionally, make sure employees know not to leave their computer screens open while away from their workstations, to collect any sensitive material from the printer immediately and never to leave confidential documents lying around. Having a thorough background screening and HR process will also provide greater security in your employment process.
It’s not enough to simply ensure employees require passwords when accessing company information (although this is a good start). You must also make sure passwords are of sufficient strength – this means a longer rather than shorter and a mix of lower case, upper case, numbers and symbols. Children’s or pets’ names are easy to guess, especially with a little research by an experienced fraudster.
Systems should be set up to police the strength of passwords and compel them to be updated regularly. What’s more, you should make clear to employees that they shouldn’t write their passwords down. A password and user name on a post-it stuck onto a computer screen is as risky as not having a password.
As a business, you owe it to yourself, your clients and your business partners to protect your data by implementing effective data protection measures and avoiding common pitfalls. Adhering to the above, while also developing a breach response plan, will ensure data breaches can be preventing or dealt with swiftly to minimise their harm.
Need some up-to-date advice on staying compliant?