A Series Of Unfortunate GDPR Events – Part 2
Let\’s get Physical…. and digital with GDPR.
So now that you have identified all your potential risks to the data you hold, you will need to put some plans in place to combat them.
The physical security side of risk management may seem like an easy one, however, it is often the most overlooked. Simple entry controls are the easiest way to manage the risk.
If you have a home office in a spare bedroom or study, then your door may need an additional lock, ensure that children, wondering obscure family members and visitors cannot access the room that you store your data in.
If you simply have a desk in the corner of a room then you will need to look more towards a filing cabinet or lockable cupboard that you can put everything in at the end of the day (try not to leave the key in the filing cabinet though), this includes all paperwork and removable digital media. About home offices, it is vital that your business data and internet traffic are on a separate network to your home environment. Speak to an IT professional if you are not sure about this.
The ICO has a few advisable policies to put in place for the use of digital equipment. These include: A Mobile working policy, Removable media policy, Malware/anti-virus policy, backup and restore policy, and a few others, these could be combined for simplicity.
Let look at the mobile working policy, this covers the use of any mobile media, such as laptops, mobile phones, and USB sticks/drives. The safest way to secure your business is to ban them all, but this is often not practical, the use of laptops outside of the office can often be a major risk, especially if you often need to use “free WIFI” like those in most coffee shops, etc. In theory, there could be someone sat on the same network viewing everything you are doing and accessing all the data stored on your laptop or phone while you are browsing Facebook. In this instance, we would recommend the use of a VPN to encrypt your traffic. Please see our blog on VPNs to find out more.
While in the office it is still a very good idea to ban the use of USB sticks especially ones where staff use them outside your network, and even more important to ban the use of mobile phone charging using a computer USB port. The best way of describing phone charging is; charging an infected USB stick with an internet connection. If you allow the charging of phones at work, then please do so via a plug socket and never through the computers. If you require the use of a mobile phone for work, then please make sure it has adequate security software installed and is encrypted, this is something we can help you with. Sorry iPhone users but they are not as secure as they could be and are increasingly becoming a security threat. As such we have chosen to ban the use of Apple products within our organization altogether until a time they become secure enough for business users.
User account controls and computer updates (patch management) are one of the most complained about features in most of the IT jobs we have come across. However, updates are usually released to address security issues, it is a good idea to put the policy in place to ensure all computers are updated within 24 hours of the update’s release. The same goes for anti-virus/malware updates. Many companies are now listing the disabling of such software as gross misconduct. The use of user account controls limits the damage a user can do to your systems, a good rule is to never allow a user administrator access unless supervised by an IT professional.
One feature that GDPR mentions several times is the use of encryption, this is turning your data into an unreadable format unless you have the appropriate tools and password to decrypt it. This means that hackers, even if they manage to break in and steal your data, could not read it. This is something we believe will have big impacts on the levels of fines handed out in the event of a breach. Encrypting your data does not have to cost a lot, the use of a network-attached storage device can often have built-in encryption. There are different types of encryption software available, we will cover this in more detail in another blog.
If you missed the first part of our series check it out here.