Barely a week goes by without a firm needing to apologise for sharing customer information or for calling customers by the wrong name. Apparently, there is even a Data Protection Day (28th January for anyone that was wondering!) to raise awareness and promote privacy and data protection policies.
The GDPR legislation combined with the Cambridge Analytica scandal of recent years made consumers so much more aware of the value of their data. But the question is, are businesses doing enough to protect their customer’s precious information?
Under the GDPR the level of fines that could be levied against businesses who are careless with their customers' data is higher than ever before. All of this points to the importance of having processes in place to ensure that data is safe – but what more can you do.
Assessing the situation
One of the first things that any business should do when it comes to data is to assess their current situation. Are you at risk of a data breach? Do your staff understand the importance of protecting client data? Do you have robust policies in place? It can be difficult for businesses to be introspective and disconnected from their own processes when it comes to a security assessment, this is why it is good practice to outsource the process – even if everything else is put in place by your team. Investing in an external assessment at the outset will let you know exactly what it is you need to put into place.
Preventable human error – training, training and more training
In the Sonos example, it was an employee that caused the data breach.
One of the most important things that we have learned from the introduction of GDPR is the importance of education for staff members. Your job as an employer is to make sure your people are aware of both the importance of personal data and their role in keeping it safe.
Importantly, an open culture, where staff are encouraged to report issues without fear of blame or recrimination should also be fostered. Staff need to know that if they make a mistake, or something goes wrong on their watch they must report it – and if there is a fear of punishment then this becomes difficult.
Staff need to feel part of the solution, not part of the problem.
Accreditation – more than just a tick box exercise
Preparing for an accreditation will help you put processes in place to ensure that data protection remains at the heart of your business, and even if you previously haven’t considered getting an accreditation, qualifying for the Cyber Essentials certificate will help you get your house in order.
By ensuring your business meets and maintains the standards expected by an accreditation, such as Cyber Essentials, you are able to demonstrate an ongoing commitment to protecting the data you are entrusted with.
As time moves on, more organisations will expect businesses to hold at least basic accreditations before agreeing to work with them. Not holding one may well mean a loss of work before too long.
The main areas covered by the programme include:
- Password security
- Implementation and configuration of your firewall
- Server and workstation configuration
- User access control
- Virus protection
- Patch management for software
It might be that you choose to employ someone to audit the above areas for you on a semi-regular basis – it is easy for people within businesses to become somewhat blinkered to their own potential failings – an honest review of the IT security landscape within your business will highlight quick fixes and longer-term priorities.
Software audit and “shadow IT”
Do you know what software is being used in your business? Do you know which software has access to your customer’s data? Being fully aware of what software has access to your network is vital for the security of your data, and could easily be a fulltime job – probably for more than one person.
Employees in many businesses are notorious for finding ways around restrictive IT policies, and it is not unusual to see shadow IT popping up all over the place. It is imperative that someone is responsible for knowing what is happening.
Having an honest understanding of your business and the limitations of your resource is vital.
Penetration testing
If you want to take things to the next step and really see where the vulnerabilities in your system are then you have the option to look at penetration testing.
Some organisations call it “ethical hacking”, it’s also referred to as “pen testing” or event “white hat attacking”. All of these terms are interchangeable for the same process – experts will do their best to break into your system. They are looking for weaknesses that could be exploited – whether they are human, systematic or policy-based. The job of the penetration tester is to get in any way they can.
There are a number of different ways that pen testing can be carried out and plenty of advice out there for companies who don’t know where to start. Our advice would be to have a conversation with the people who will be carrying out the test and establish what it is that you want to achieve by completing the tests.
Once you know where your vulnerabilities lie you can then focus your resources on the highest priority issues.
Data protection and cybersecurity is not a one-time thing. New threats will constantly emerge, exposing vulnerabilities, and let’s face it, in most businesses there are new staff and customers to think about on a regular basis. As a business owner, you need to be vigilant and diligent about setting up and maintaining processes for your business. But, if you have any concerns about your own business data processes then why not contact the cybersecurity experts at Netmatters for a conversation?
Gloss