Tuesday, 30 October 2018

A practical approach to data protection

Customer data protection

When someone says that data protection people have their eyes riveted, it is understandable that the 1998 Data Protection Act is important not just for business, but for the general public. However, the Data Protection Act will be replaced in 2018 by the GDPR.
Do not worry, this article does not deal in depth with the data protection law. Instead, we want to focus on what you can do to protect your data and that of your customers.
This article applies to everyone in business, regardless of whether you belong to one man and that your customers' contact information is kept on your mobile phone, whether a store owner complies with the PCI standard or not DSS or to a multinational. If you have data about your company and/or customers stored anywhere (even on paper), this applies to you!

First thoughts on security considerations

With the development of Microsoft Windows, one of the key issues that Microsoft has tried to solve is that of security. With Windows 10, they made a quantum leap in protecting your data.
Many people seem to have focused on how the Windows 10 license works and what it allows Microsoft to do. remove counterfeit software, etc. Is it a mistake? Of course not. In fact, if you are in business and your systems have a counterfeit software, you expose yourself to considerable data loss.
Pirated software usually contains additional code that allows hackers to access your system and therefore your data. With cloud services, the use of legitimate software should be easier than ever, after all, the monthly cost of a copy of Office 365 is derisory.

Even if we are on cloud systems, it is worth remembering that if you do not encrypt your data on the cloud, it is very likely that it will fall into the wrong hands, regardless of the security of the provider. New materials are already under development and will take care of that for you, but they are not yet available, so be warned.

We'll come back to secure a little later after considering the heavy fines you could incur by not taking data security seriously.

It's about big business, is not it?

No, certainly not, the data security of your business is the responsibility of all members of your business. Not complying with them can be expensive in addition to mere monetary considerations.
Throughout this article, I will present some of the ICO's decisions that show how important it is to take these issues seriously. This is not an attempt to scare you, nor a marketing ploy of any kind;
many people believe that they will never be "caught off guard", in fact, it can happen to anyone who does not take reasonable steps to protect their data.

Here are some recent decisions detailing actions taken in the United Kingdom by the Office of the Information Commissioner: Prosecution

A recruitment company was prosecuted in the Ealing Court of First Instance for failing to notify the ICO. The recruiting company pleaded guilty and was fined £ 375 and charged £ 774.20 and victim fine surcharge £ 38.

Monetary Penalties

The company behind the annual Manchester Festival Parklife Weekender was fined £ 70,000 after sending unsolicited marketing SMS.
The text was sent to 70,000 people who had purchased tickets for last year's event and who had appeared on recipients' mobile phones as having been sent by "Mom".
Let's take a look at the simplest way to protect your data. Forget the expensive hardware, you can get around it if the fundamentals of data protection are not addressed.

Education is by far the easiest way to protect the data stored on your computer and therefore on your network. It means taking the time to train staff and update it regularly.

Here's what we discovered - shocking practices

In 2008, we were asked to perform an IT audit of an organization, which is not unusual, except that a week before the audit date I received a phone call from an experienced person from this organization.
"We had not mentioned before that we had suspicions about a staff member in a position of authority, he seems to have a very close relationship with the IT company that is supporting us right now. related to our organization using the computer in his office. When we told him about the upcoming computer audit, he became agitated and the more we insisted that he comply, the more he became agitated. "

As a result, this computer has been judicially inspected. Except for one unlicensed game, we found nothing and, believing that the information we were looking for might have been removed, we performed a data recovery on the disk drive.

The results caused consternation and forced us to contact the ICO. We found a lot of very sensitive data that does not belong to this reader. It looked like it had been there for a while and most of them were not recoverable, suggesting that they were retired a long time ago.
It turned out that the reader had been replaced several months earlier and that the computer company had used it as a temporary data store for another company's data. They formatted the disk and put the new operating system into thought.

This simply shows that formatting a disk and then using it for months will not remove all previous data. No action was taken other than a wrist slapped for the IT business because of bad practices.
So who should be trained?
The best way to demonstrate the importance of data protection is to use top-down learning sessions in which managers are trained first, followed by junior managers, followed by staff. In this way, it is clear to both management and staff that data protection is not the job of one person, it is the duty of every employee in the company.
A data breach will affect everyone in the business, not just the responsible person, but also the people in charge.

The training is neither long nor difficult, but it should be provided by a domain expert or a company whose expertise is beyond doubt.
Internal training on this topic is not recommended, as it is only a stranger who will be taken seriously and who will have the credibility required as a third party to emphasize the importance of the issue.

No comments:

Post a comment