A new guide for businesses on how to secure data is available from managed security company, Network Box. The guide is designed to give guidance to companies on best security practice to avoid a security breach; and is available free from Network Box’s website.
From April 2010, the Information Commissioner’s Office in the UK has greater powers to enforce data security regulations (including the power to fine companies up to £500,000 for the most serious breaches), and this has made good security even more important for businesses.
Organisations keep more data, and for longer, than ever before. Much of this data – customer records, financial information or personal identity details – has a value to cyber-criminals, and any organisation that holds sensitive data could be targeted by a hacker. Whether it’s stealing an identity, launching a phishing campaign, or cloning credit card information, consumer data has intrinsic value to cyber-criminals, so must be kept secure.
The Network Box Guide to Compliant Security in the UK includes opinion from James Pickering, a commercial litigation barrister, on interpreting the data protection laws (but it is not designed to give or replace legal advice to companies on compliance). Pickering’s full opinion on the legal aspects of compliance can be read here.
The guide includes advice on best security practice, such as:
• Avoiding or minimising the risk of human error (the cause of most data breaches), from phishing attacks to leaving an unprotected laptop on a train
• Planning for a security breach, such as system redundancy; and a breach notification plan (voluntary at the moment, but likely to become mandatory within the next two years)
• Reviewing third party suppliers that host data, such as CRM systems or financial systems providers (including web or mobile payment providers); and ensure that they are PCI DSS compliant
• Encrypting data and using strong password authentication, particularly for mobile devices, laptops and data sticks
• Checking all data that leaves the building (via any channel, including IM), as well as data that enters it, to prevent unauthorised transfer of data
• Securing more than just email. 2009 saw a clear move by cyber-criminals towards focusing on exploiting vulnerabilities in applications, web browsers and servers, rather than just mailing executable code
• Reviewing all applications and systems across the organisation regularly, to check for vulnerabilities; and setting clear user rights (see Network Box’s guide to monitoring applications)
• Ensuring that all data is routed through the appropriate channels and doesn’t bypass security systems (for more information, see Network Box’s guide to routing)
• Educating employees on their role in keeping the organisation secure; and limit access rights to certain applications or platforms
• Using secure VPNs, so data doesn’t have to be moved, on, for example, a laptop or memory stick; and ensure that home or remote workers have the same levels of security as the rest of the organisation (see Network Box’s guide to remote working for more information)
• Preventing employees from downloading anything that isn’t approved by the security team, such as peer to peer software, that might leave a ‘back door’ open into the organisation.
Simon Heron, Internet Security Analyst for Network Box says: “There’s a lot of confusion among companies about what they should do to be secure. At InfoSec this year we heard a number of companies who are concerned, but who are unsure what to do. We hope this guide will help organisations put in place security measures to avoid a security breach. The cost of cleaning up after data breach – both financial and in reputation terms – can be enormous.”
For more information on security issues, visit Network Box, see Simon Heron’s blog; or follow him on Twitter.
