At HGA data protection is at the forefront of our minds at all times – we are formally recognised, regulated and registered with the Information Commissioners Office (ICO) for our processing of Personal Identification Information and Personal Health Information. But what about you; are you covered? Through this article we’re going to discuss the importance of data protection, what it means for you and how to stay secure.
As detailed in The Data Protection Act (1998), every organisation, sole trader or other body – otherwise defined as a data controller – processing personal information or recording CCTV imagery, (unless otherwise exempt) is required to register with ICO. If you’re unsure whether you should be registered, this short self-assessment will help you.
In a world where data is key, it’s important to take proactive steps to build confidence with your customers, by being open about what data you capture, why you capture it and how it is handled. Registering also clearly defines what you can and can’t do within your organisation when it comes to processing data.
Failure to adhere to these guidelines, or worse still being victim to a breach of data, can have disastrous consequences. There have been a number of high profile cases in recent months that highlight the danger of data breaches. In July 2015, adult dating service Ashley Madison was hacked exposing thousands of married adulterers, whilst a breach at the end of 2015 for TalkTalk incurred heavy financial penalties compounded by lost revenue due to customers moving on. One data breach can have disastrous consequences for your business and its brand – reputation damage is a hard thing to repair, so it is vital you take steps to protect your online presence. We’ve produced a few tips to help you along the way.
1. Assess your risk
How can you know if you need to improve if you don’t fully understand where your weaknesses are? A crucial part of improving is to review everything from infrastructure to policies to the devices used for and on behalf of an organisation.
2. Be proactive and share your progress
Just because you’re secure today doesn’t mean you’re secure for tomorrow. Regular scans of systems, independent vulnerability testing and misconfiguration assessments can help avoid disaster. Share your results, be open about how great you’re doing and the proactive approach you’re taking. Be sure to patch any holes before doing so though!
3. Aim for prevention, prepare for disaster
Nobody wants to be victim of a disaster and your primary goal should be to work toward preventing a breach, but having a plan in place should it happen is a must. A plan to deal with the disaster of a breach means you’re ready and your responses are all detailed within. This kind of policy is also a good thing to share with clients and is becoming more pivotal when it comes to securing and retaining work.
4. Encrypt sessions with an SSL certificate
Data protection is made easier when ‘the man in the middle’ cannot read the data being input. Securing user connections to your website whilst they input data is the first step towards protecting your users.
5. Encrypt servers, computers and devices
In a world where our lives are ‘in our pockets’, it’s important that data is protected wherever you go. Encryption is a big part of our everyday lives even if we don’t realise it, with services like iMessage, SnapChat and WhatsApp all leveraging the power of end-to-end encryption. Where smartphones and tablets are concerned make sure you have the ability to remote wipe them should a device be lost or stolen.
6. Control and audit those who have access to data
Breach incidents can be minimised and mitigated by restricting access to data on a need-to, permission tiered basis. For example, you wouldn’t expect data on a Chief Executive to be accessible by a junior member of staff – the same principle should be applied within your organisation.
7. Retain year-long, detailed access logs
If the worst should happen you’ll have enough stored logs to be able to conduct a full and thorough investigation. You can also interpret these logs regularly to try and identify attempts to gain unauthorised access.
8. Become awarded to be rewarded
Industry standard accreditations exist for good reason – not only do they ensure best practice is adhered to but they also demonstrate an organisation’s commitment to the practice as well. Look for ISO 27001, ISO 9001, ISAE 3402 Type II SOC 2 & SOC 3, PCI-DSS accreditations to cover information management, security, procedures and compliance. Consider your own organisation for these as they demonstrate to your clients your commitment and competence to support your claims.
The battle against the malicious use of the Internet is on going – as one vulnerability is patched another two more will likely arise. The most important thing is to stay on top of things and minimise the risk to both you and your clients.
We take Data Protection very seriously and put robust measures in place to protect our client’s data. If you’d like to discuss how we can help keep your data safe and secure contact us today.