GDPR & Cyber Security pt 1 – Just when you thought it was safe to go back into data collecting
The General Data Protection Regulation (GDPR) came into force just over four months ago on 25th May so with your new sparkly ‘consent’ forms and privacy statement all done you can forget about it, right?
Unfortunately not, in fact GDPR is an ongoing process with responsibilities including carrying out the routine data law compliance checks: audits, security monitoring/updating and training etc.
Things you need to (and should already) be undertaking, recording and regularly auditing as part of your GDPR include:
Policies reviews & updates – You should already have rewritten or updated your policies to reflect GDPR requirements for Data Protection, security, personal data storing/cleansing/destroying, Records Management etc
Staff training & records – You trained all your staff ready for May 25th (hopefully) but have you trained any/all new staff and volunteers since? Do you have records to show this and a plan for refresher training? But probably more importantly do you know that everyone actually understands their responsibilities in GDPR? You might escape a fine if you can show staff had been trained but better to avoid an issue occurring in the first place, as the damage to your reputation could be far worse than a ticking off from the ICO.
Evidence data disposal –Do you have/are you keeping records of how and where your confidential waste is going? Just shredding paper and bunging it in the bin isn’t really acceptable as how can you prove it, what if someone should ‘un-shred’ it (don’t laugh it has been known)? When you have an old PC how do you get rid of it and what evidence do you have showing you wiped/destroyed the hard-drive(s) sufficiently? These activities may result in a paying out but it could cost a heck of a lot more if you don’t!
Audit of data journey – Did you do an audit pre-GDPR to identify where data enters your organisation – email, website, survey, forms etc- who has access to it, when, how, along with how/where does the data leave your organisation eg external suppliers you use to process data such as email clients (mailchimp) and are they EU based? If you did, great, but have you checked nothing has changed since – new project, new staff, new supplier?
Monitoring access to data (and use) - Is it scheduled in your ongoing-activities to do so? It is only by regularly monitoring the activity and ongoing journeys of your data that you may spot any problems early on.
Security – Your audit has identified who can access data and set up access permissions, so now how do you ensure no one else can, and that you have mitigated against cyber-attacks?
In addition Cyber-attacks are becoming more common – British Airways, Talk Talk, Carphone warehouse all big names that have had recent successful attacks - and the recent annual Cyber-Securities Survey report indicated that 19% of charitable organisations have had some sort attempt/breach on their cyber security – www.gov.uk/government/collections/cyber-security-breaches-survey - from simple phishing emails through to full on server hacks.
So it is more important than ever before to ensure your IT systems are secure, both on site and with any external or mobile devices used, linked to or containing work data (eg laptops, mobile-phones, tablets)
One option is to undertake regular vulnerability scans & penetration testing to identify vulnerabilities and ensure on a regular basis that your cyber controls are working.
What is penetration testing? – in films/tv shows, hoody wearing IT geeks ‘hack’ into computer systems to steal/wipe data, upload viruses/trojans, or just for the fun of it – Think Wargames, Mr Robot, The Girl with the Dragon Tattoo etc, basically penetration testing is a range of tests to see how secure your systems are, identify likely/possible vulnerabilities and how easy/hard it would be for someone to exploit them, something like an MOT for your IT security. There are various levels of testing and content (infrastructure, web, wireless etc) along with recommendations of how frequently you should be testing, Although unless you are a high visibility organisation and/or store large amounts of data of high value (or are just unlucky), your Server is unlikely to be targeted by serious professional hackers. Penetration testing can also be quite expensive and isn’t as simple as a pass/fail certificate, rather you get a report on likely risks/hacker opportunities and what you could do to improve security, and like an MOT it is only applicable at the time it was done, so again you would need to decide how often it needed re-doing.
BUT!, before you swipe left (google ‘tinder swipe left’ if you don’t get the reference) just because you might not need server penetration testing doesn’t mean there aren’t other things you do need to do and monitor.
As you may still be targeted by the chancers/amateurs/coordinated gangs-and that the much more likely external attack will come via email with a malware attachment, phishing link, simple impersonation (eg someone claiming to be the CEO emailing a minor staff member with instructions to undertake an action) or a website hack/clone.
In one of my previous employments someone hi-jacked the charity’s website to be ‘helpful’ and show how easy it was to do so, (but that is another story.)
It is also worth pondering on the fact that more data is stolen by employees/people who already have access to your systems than external ‘hackers’ trying to penetrate your IT security. There is software available that can disable USB ports, or the attachment/uploading of attachments to emails/websites, although this may be a tad drastic unless you have real concerns.
As such your time and money is probably best spent on securing your internal systems with the basics such as specific security software, robust password protocols, data encrypted files, and cyber-security training for staff (especially those with high level access) to follow your security procedures.
As a minimum your IT systems will need the below:
Antivirus – for both email and web-browser, it needs to update regularly and automatically, there are many antivirus suppliers, free or paid for, just research what is available and talk with other groups to see what they are using.
Firewall - Firewalls prevent unauthorized (external) internet users from accessing your internal networks connected to the internet, especially intranets/shared drives. A bit like having a digital wall around your server stopping intruders. Firewalls can be hardware and/or software based.
Patch management – A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs. When Microsoft (or other supplier) send patch-updates for their systems/software they needs to be installed as quickly as possible along with recorded so you know it has been done, on which machines and when (so that no hardware is missed)
Backups – Computers go wrong, they break down, people spill stuff on them and/or drop them. As such you should be taking a backup of all important data as a minimum, this is basically a copy of everything you might need to set up again if your machine does go pop. Daily is best, and can be scheduled to run when you are closed – it can take a while or make your server slow down and can be done on an external portable drive, digital tape, or uploaded to cloud storage but must be encrypted so that no one can simply steal it. If you aren’t doing a backup start today, you will thank us if something goes wrong, after all what would you do if you lost all your data?
Secure configuration & access controls – by being proactive you can eliminate or reduce issues early on, including:
Setting file/folder restrictions & controlling access so people can’t access, or stumble across, what they shouldn’t
Robust Password protocols eg set up so they expire after ‘x’ days, can’t be repeated, aren’t easy to guess, aren’t shared (and definitely aren’t stuck up on a post-it note next to the PC, Doh!)
Mobile asset wipe - it may well be beneficial to consider Remote Wipe/tracking software for use with devices that leave the office eg Laptops, tablets, company mobiles, that way if it is stolen, or left on the 388 bus, you can be confident it can’t be broken into and your data stolen.
BYOD – Bring Your Own Device, is where a member of staff uses their own personal equipment for work. That isn’t just where they log onto their email remotely from their home PC but where they actively link their equipment to the server, their folders, upload files, email etc, as such if they lost their item it would potentially offer access to their (as in the organisations) work files/email and not just their personal stuff. The easiest way around this is to not allow them to do so (as part of your GDPR policies) and if they do need (as opposed to want) remote/mobile file access then to supply them with a company mobile/laptop with remote wiping software installed (it may also be beneficial for staff wellbeing to not be constantly checking work emails on their phones out of office hours, although that is a debate all in itself)
Encrypting confidential files – both on the server/shared files and when in transit (physically and digitally), always utilise an encryption program, that way if a file becomes re-directed it can’t be opened. Most operating systems, such as Windows, offer an encryption option as basic but it may be better to research other options.
At the end of the day you should already be doing most (if not all) of this as part of your GDPR & cyber security, but if you aren’t then now is the time to get going. A lot of the ICO/GDPR standards could be considered vague or open to interpretation, but as said earlier better to avoid an issue occurring in the first place along with the damage to your reputation as you are the one who will have to justify your action or inaction if a problem arises and the ICO gets involved. So, as long as you are doing the above you should be fine, but even if there aren’t any problems, there is the very credible chance that certain funders in the very near future might(will) start asking for you to evidence that you are GDPR (& Cyber-security) compliant (you have been warned)
If you want to take things a step further there are accreditations you can undertake eg Cyber Essentials (https://www.cyberessentials.ncsc.gov.uk/) that help you assess your assess your activities & actions and demonstrate your compliance, a bit like PQASSO for cyber-security.
The ICO also offers a range of free Data Protection assessment tools:
Self Assessment for Data-controllers, processors and other relevant topics - https://ico.org.uk/for-organisations/resources-and-support/data-protecti...
To work out of you need to register with the ICO and pay the fee - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
(even if you are exempt, which if a non-profit you will likely be, there may still be merit in signing up and paying as a sign of your commitment)
To find out if you need to appoint a Data Protection Officer - https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-pr...
For general info about DPOs - https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio...
If you need help with your GDPR, or anything else mentioned above, give us a call and if we can’t help you they we know a man or woman who can.
Coming up in GDPR & Cyber security pt2 – PECR the other bit of ePrivacy no one has heard of or thinks about, and is due for a refresh next year.