The ongoing stories in the press are hurting charities who are being seen to be treating decent people – particularly vulnerable people – monstrously unfairly. The press and media are giving consumers an ever clearer perception of the charity sector as being irresponsible, uncaring and aggressive in their treatment of donors. And it does the data industry no favours at all.
EU Data Protection – Change is ComingThe new EU data protection law is getting ever closer. The clock is ticking, with major changes on the horizon relating to the way businesses will be allowed to collect, hold, store and use personal data.
The changes to the law fall into two main areas
… which will require organisations to demonstrate stringent data governance and robust data protection policies, procedures, processes and training, starting with the Board.
… which will impact consent (which must be obtained fairly, and be unambiguous and explicit), and will impose restrictions around tracking and profiling.
You’ll find more information about the upcoming DPA changes in relation to marketing and accountability in the guest blog I wrote for All Response Media.
This has been the subject of much discussion. Justice and Home Affairs Ministers agreed amendments to the Commission Text in June, and three-way negotiations are now taking place between the EC, Parliament and Justice and Home Affairs Ministers.
It is expected that this process will be completed by December 2015, in which case the Regulation will be passed in Brussels in early 2016, and become UK law in late 2017 / early 2018.
While it may seem that a couple of years is plenty of time to get ready, failing to react until the big shake-up actually arrives is likely to cause chaos and confusion throughout all areas of your business.
Responsibility and accountability for the new legal requirements around data protection must lie with the Board in order to be embedded throughout all areas of the business – from sales and marketing to IT, HR to Customer Services. With that in mind, and given the huge emphasis on accountability and governance, preparation and planning are essential, and businesses need to start looking at their data governance, compliance and security measures right now.
The protection of the personal data your company holds needs to be of paramount importance – it will no longer be acceptable to fall short in terms of accountability, or responsibility, or to rely on loopholes in the current legislation. So please get in touch if you you would like to discuss the implications of the new legislation, and to understand your obligations around data governance, security and compliance. Have a look at our website, call 01787 277742, or email victoria@datacompliant.co.uk
The 2015 UK data breaches report shows significant rises in numbers and costs of data breaches, with growth shown in my previous blog, Data Breaches – OUCH! . The infographic below summarises the key data breach stats from 2014, including a nod to the impact of new technology.
* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe
Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.
* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe
The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe. Call 01787 277742 or email victoria@datacompliant.co.uk
I was invited by ComputerScienceZone to share this fascinating infographic on my site – so here it is – a fascinating insight into the diversity and number of “things”, combined with the risks associated with the rapid growth and poor security.
When we talk about data security what do we actually mean? Data security means protecting data, such as database, from destructive forces and from the unwanted actions of unauthorised users.
In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.
The international standard ISO 27001 covers data and information security. Information security is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
Data Security is subject to several types of audit standards and verification, the most common are ISO 27001, PCI, ITIL. Security Administrators are responsible for creating and enforcing a policy that conforms to the standards that apply to their business.
IT certification audits are generally carried out by 3rd parties although regular internal audits are recommended. Clients can also carry out audits before they begin doing business with a company to ensure that their clients data is secured to their standards.
A security policy is a comprehensive document that defines a company’s methods for prevention, detection, reaction, classification, accountability of data security practices and enforcement methods. It generally follows industry best practices as defined by ISO 27001, PCI, ITIL or a mix of them. The security policy is the key document in effective security practices. Once it has been defined it must be implemented and modified and include any exceptions that may need to be in place for business continuity. Most importantly all users need to be trained on these best practices with continuing education at regular intervals.
Data needs to be classified in the security policy according to its sensitivity. Once this has taken place, the most sensitive data has extra measures in place to safeguard and ensure its integrity and availability.
All access to this sensitive data must be logged. Secure data is usually isolated from other stored data and it is important that controlling physical access to the data centre or area where the data is stored is implemented.
Active Directory for example is used by many companies and is a centralised authentication management system that is used to control and log access to any data on the system.
Encryption of the sensitive data is critical before transmission across public networks. The use of firewalls on all publicly facing WAN connections needs to be in place and also the deployment of VLANs’ to isolate sensitive departments from the rest of the network. It is important to shut down unused switch ports. If Wi-Fi is deployed then it is important to use authentication servers to verify and log the identity of those logging on. Finally the deployment of anti-virus and malicious software protection on all systems.
Sometimes you will be surprised what you can find by simply walking around and look for passwords in the open, unattended screens.
Ensure that Event Viewer and Log Files are maintained this provides the audit trail. An Intrusion Detection/ Protection systems (IDS/IPS) to monitor the network and system activities for malicious activities or policy violations. Set up SNMP monitoring servers to monitor and alert for everything as this will alert Administrators to everything from unusual bandwidth usage to hardware failure. It is key to know what’s going on with your systems and network.
Documentation is also important, detailed network maps should be available as these maps make it easier to spot security weak points and any flaws in the design that could impact the data security.
You should also consider a network scanner that probes devices to ensure that they are secure. A network scanner will probe and report old out of date software, open ports and the give details on any potential exposures. Networks scans should be scheduled on a regular basis.
Review log files regularly of any publicly facing server to see what types of attacks are being run against your enterprise.
Trade publications discuss the latest threats and technologies keeps you updated on the latest attack trends. It is important to understand the technology stack that you are protecting and the technology that is used to attack it.
Something which tends to not be given the required level of importance is user education. All relevant security policies must be clearly explained to the end users. A clear explanation of the consequences for violating these polices must also be explained. The end user needs to sign a document acknowledging that they understand the policies and consequences for violating these policies.
Any enforcement must obtain executive authority to enforce the business policies and procedures. This must be based on a systematic approach of warnings and punishments.
The author, Tony Schiffman, is Data Security Director at Data Compliant. If you have any concerns about your organisation’s data security or vulnerabilities and you’d like a chat, please call Tony on 01787 277742 or email dc@datacompliant.co.uk
Many data breaches are a direct result of the attacker using individuals or employees to access systems or data, and it’s worth noting that 58% of large organisations and a third of SMEs fall prey to staff-related data breaches (*UK 2014 Information Security Breaches Survey).
With that in mind, I thought it would be helpful to summarise some points to help recognise and deal with phishing emails.
Phishing is a deceptive means of trying to acquire personal information such as your identity or data that you hold and access – for example your user name, passwords, credit card details, contact directories and so on. Phishing is typically carried out by email or instant message, which may ask you to provide the data directly, or it may send you to a website or phone number where you will be asked to provide data.
A phishing effort can be hard to recognise, particularly if it comes from a source that you are inclined to trust – for example a friend or colleague (who may have been phished themselves), or your bank, social media site, telephone provider etc.
There are ways to recognise and avoid being caught out by fraudulent emails or the links they contain.
Such links are likely to include all or part of the legitimate website address.
Being aware and understanding how to spot a potential phishing effort is helpful, but additional steps should be taken to protect your computer and system against such attacks. There is no single solution – the best option is to adopt a multi-layered approach:
Just opening the email is unlikely to cause a problem. However, it is helpful to report phishing emails:
If you have any concerns about your organisation’s vulnerability to phishing attacks and you’d like a chat about staff training or prevention, just call 01787 277742 or email dc@datacompliant.co.uk
It’s becoming an increasingly essential part of due diligence that a data controller, when appointing a data processor, will ask one simple question: “Do you have ISO 27001 Certification?” Given that data controllers are the liable parties for any data breaches or lack of compliance, they need to be certain their data is to be processed safely. So if the answer is “no”, the processor is unlikely to win the contract unless they have some other extraordinary and unique competitive advantage.
I was going to write a blog about why ISO 27001 certification is so important. Then I thought it would be simpler just to show you. It’s all about protecting your business from potential breaches.
From the stats above, taken from the 2014 Year of Mega Breaches and Identity Theft, it’s clear to see:
ISO 27001 is an international standard for data security management, providing a risk-based approach to data security that involves a data governance standard that is embedded throughout the business covering processes, technology, employees and training.
In the past, obtaining ISO 27001 certification has been a time-consuming, arduous and costly exercise. Now, however, the whole process of creating the gap analysis, providing robust policies and procedures, and obtaining certification can be made much simpler.
If you’d like to know more about getting ISO 27001 quickly, simply and cost-effectively, please get in touch on 01787 277742 or email victoria@datacompliant.co.uk – we’ll be happy to have a chat and answer your questions
The pressure on Google over European data privacy issues has been ongoing for several years as EU data protection watchdogs attempt to bring the organisation – and other huge US companies – into line with European data protection principles.
The latest threat to Google comes from Holland, where the Dutch DPA has threatened Google with a fine of up to 15M euros for breaking local laws over how it can use user data. Google has been given until the end of February 2015 to change the way it handles personal data, before the fine is levied.
So what has Google done wrong? The issue is over the way Google uses data about people’s online behaviour to tailor advertisements. Google builds up a profile for every one of its users based on keywords used in searches, email messages, cookies, location data – even video viewing habits. However, it does not inform its data subjects that it is collecting and using data in this way, and nor does it obtain consent.
Google’s data is a core asset for the business, and other businesses like it. One of Google’s key data privacy issues is that the company has merged all its separate privacy policies into one policy which allows Google to share its user data across all its services – for example, Gmail data and search engine data can be used and combined across the company. In addition, there is no opt-out for the data subject.
From Google’s point of view, its customer profiling is enhanced considerably by this activity – and advertising to targeted customers is Google’s core revenue stream. Google also uses customer data to drive new products such as Google now (appointment based app, giving details on how to get to your appointment, where it is, what are the traffic conditions and what time to leave) – a great concept, but one that would be useless without Google’s ability to collect and use data from its users.
It has been clear for some time that the EU is determined to take on the challenge of the giant UK search engines and social media platforms, and curb the way they use data. Because Google has such a vast share of the market, it, in particular, regularly comes under fire from the EU.
The requirement for additional permissions or opt-outs may be more problematic than helpful for Google customers. But fairness and transparency is an issue that Google could address relatively simply – as a minimum the customer should be informed about the data Google is collecting about him or her, why it is being collected and how it is being used. And a little bit of creativity in the wording would serve to illustrate the benefits to the customer.
The single privacy policy makes such transparency difficult. So perhaps the simplest solution is to re-establish separate privacy policies for each of its business areas. That might at least serve to reassure not only the EU, but also the US data protection authorities who have also expressed concerns over Google’s single privacy policy.
Your thoughts and views are always welcome – please add your comments below. If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742. Or email victoria@datacompliant.co.uk
The Data Compliant Blog 