Did you know you can receive a sizable fine for failing to keep your customers’ data secure? And unfortunately, this task seems to be getting harder all the time. The world has changed recently and so your firm needs a new security model that embraces the ‘work from anywhere’ lifestyle but also protects your data whilst enabling you to provide the best customer service.
So how does this affect me and my firm?
When utilising or reviewing applications or IT/Telephone strategies, ask yourself the following questions:
- Who has access (internal and partner teams) to our data and do they require this level of access?
- What methods are used to login to this application/data location and does this level of security match the confidentiality/sensitivity of the data?
- Do we trust and verify the device and its location they are accessing this data from?
- Can we proactively identify and audit a security breach or altering data?
- Can we recover from unauthorised data deletion/corruption and, if so, how fast?
Who has access to the data?
When setting up yourself or a member of the team with application and data access, the key is to only give access to the system/data needed to complete your role within the firm. So the account holder is given access to the data that is needed to fulfil the role successfully and no more. This then means we reduce the risk to the firm against:
a) Accidental human error to data your staff do not need permission to see/use,
b) Malicious acts from a team member that you have no idea is unhappy or about to resign and
c) The workstation machines or account being hacked and resulting in a hacker having the matching level of data access.
Reducing this risk is often overlooked when setting up access as it’s easier to give full access instead of delving into the specific job roles. But reducing this risk means less exposure if you need to notify your clients and/or the ICO of a breach, and so possibly impacting your reputation.
What methods are used to login?
There are a lot of different methods available to securely log-in to applications and data. The key is to ensure we match the security and impact to our productivity with the type of data. Wherever possible we should aim to automate this to stop humans picking the easy option. Ways that we can do this includes:
Two Factor Authentication (2FA) – enabling this gives you a great strategy around a password you know and a password that is changing constantly. This helps to secure your account if it gets compromised by a hacker via password capturing methods like phishing emails (fraud emails) navigating you to input your password into a fake site as they will not have access to the changing element.
Password Manager – this manages all your passwords in one secure vault for ease of use by adding automation to login (which can also automate the 2FA password if you choose the right solution). This can then also be used for setting up more complex and non-human passwords as you no longer need to remember them. If there is a system breach you will be notified to change your password.
Central authentication – this combines one user account with multiple platforms using systems like Microsoft Office 365 as the authentication provider. This means you and your team need to remember and manage less accounts so speeding up the login process and also enabling central auditing.
Repeating passwords and using a word with numbers like P$assw0rd2021 is not that clever!
Auditing user activity or a security breach
This starts back when you are looking at a solution or product but is also a continuous activity as these items evolve. Your firm needs to evolve with them as the hackers’ knowledge and technology improves – you need to be at least 10 steps ahead of the hackers. You need to ensure your data actions are fully audited to match the risk. This means auditing log-on and change activity across all systems and data access. Often, the most difficult items following a breach are a) understanding how long have the systems been breached and b) what exposure has the breach caused and what data has been accessed/removed. These points are critical to understanding if the next action needs to be notifying the outside world (Clients and ICO).
Can we recover from unauthorised actions?
Last but never to be overlooked is backup and continuity. Often firms don’t ask the 3rd party application, SAAS or cloud provider about the strategy of backup and continuity. This really is key to the business surviving. 75% of businesses with poor backup strategies do not recover from losing data and sadly go out of business. The key questions here are:
- What is backed up? Needs to be 100% data and the whole system.
- Where is this located? A good strategy is to have your data in three locations – live, backup and continuity.
- How often is it backed up? From what time can I have my data back from?
- How long will the recovery back to 100% operational activity take? How long will my systems/data be offline?
Don’t be left behind. Ensure your firm’s data is secure in EVERY aspect.