What MUST UK businesses be compliant in with regard to Data Security
22nd September 2017
We at 360ict have initially looked at the general issues and recommendations relating to Cyber Crime but over the coming weeks we will look to address specific risks to small and medium organsiations, cyber risks that the UK Government, National Crime Agency, Financial Conduct Authority as well as a huge number of private specialist firms all consider to be serious or significant risks.
Customer data protection is one of these serious issues. You are responsible for securing your customer data and protecting it from fraudsters and the UK Government and other agencies have set out a number of principles to guide firms accordongly.
Customer data is any identifiable personal information held in any format, for example National Insurance records, addresses, dates of birth, family circumstances, bank details and medical records. This information must be kept securely to comply with your obligations under the Data Protection Act 1998 , but also because criminals can use it to commit offences such as identity theft.
Data security is not purely an IT problem, nor is it just a problem for large firms. Firms of all sizes should think carefully about how they secure their data. Having good data security policies and appropriate systems and controls in place will go a long way to ensuring customer data is kept safe. However, you need to make sure your employees understand the policies and procedures and your firm keeps up-to-date when people move on.
IT & General Security Advice for Businesses
You should consider risk-based, proactive monitoring of staff to make sure they are accessing or changing data for genuine business reasons, and that they all use good password standards and do not share or write down their usernames and passwords.
If you have employees who work from home or use laptops and portable devices such as USB sticks and CDs to store customer data, you should be vigilant about the risks of loss or theft. Unencrypted customer data should never be stored on these devices.
Unsecure backup and storage of customer data leave you at risk. We expect you to review your data backup procedures regularly and consider threats from all angles, including the transit or upload process and ultimate place of storage. If your data is held off-site by a third party, you should encrypt it and make sure you carry out regular due diligence.
Broader Data Security Measures for Organisations
Customer data can be compromised in various ways and you should also:
- look at the physical safety of your business premises
- have a sign-in book for visitors, with onsite supervision
- conduct enhanced recruitment checks
- conduct credit and criminal record checks on people with access to data
Outsourcing to a third party does not mean you have outsourced your obligations to look after customer data. Therefore, you should carry out due diligence on third-party suppliers before hiring them, try to establish what their vetting procedures are, and ensure that they respect your firm’s security arrangements.
Five fallacies of data loss and identity fraud
1. ‘The customer data we hold is too limited or too piecemeal to be of value to fraudsters.’ This is misconceived: skilled fraudsters can supplement a small core of data by accessing several different public sources and use impersonation to encourage victims to reveal more. Ultimately, they build up enough information to pose successfully as their victim.
2. ‘Only individuals with a high net worth are attractive targets for identity fraudsters.’ In fact, people of all ages, in all occupations and in all income groups are vulnerable if their data is lost.
3. ‘Only large firms with millions of customers are likely to be targeted.’ Wrong. Even a small firm’s customer database might be sold and re-sold for a substantial sum.
4. ‘The threat to data security is external.’ This is not always the case. Insiders have more opportunity to steal customer data and may do so either to commit fraud themselves, or to pass it on to organised criminals.
5. ‘No customer has ever notified us that their identity has been stolen, so our firm must be impervious to data breaches.’ The truth may be closer to the opposite: firms that successfully detect data loss do so because they have effective risk-management systems. Firms with weak controls or monitoring are likely to be oblivious to any loss. Furthermore, when fraud does occur, a victim rarely has the means to identify where their data was lost because data is held in so many places.
Please contact us at 360ict if you have any concerns: Call 0208 663 4000 or use our Contact Us page