Talk Talk, the phone and broadband provider, have been hit with a significant and sustained cyber attack, where over 4 million UK customers may have had their banking details and personal information accessed by cyber criminals. We have brought this serious risk management issue to your attention in the past to explain the impact it could have on your business; under the Data Protection Act, companies dealing with and storing sensitive and personal information digitally must take the proper measures to ensure this data is never compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Failing to do so can result in a data breach, which costs companies billions of pounds every year. Understanding the risks involved with data security can help you prevent a privacy breach.
Know the Risks
The first step in protecting your business is to recognise basic types of risk:
- Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering a client’s information).
- Malicious code. This is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
- Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
- Worms: This code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
- Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves when you’re not expecting it and cause a lot of damage. For example, a program that claims to speed up your computer system but actually sends confidential information to a remote intruder is a popular type of Trojan.One of the biggest risks to data security in business is actually your employees. There have been examples of significant fines levied against firms where data has been lost due to the theft or loss of either laptops or memory sticks, where data isn’t encrypted.
One of the biggest risks to data security in business is actually your employees. There have been examples of significant fines levied against firms where data has been lost due to the theft or loss of either laptops or memory sticks, where data isn’t encrypted.
It is therefore important to control portable equipment use away from the premises and ensure that employees are not saving client data to local drives or desktops, that isn’t encrypted.
IT Risk Management Practices
To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organisation. Risk management solutions utilise industry standards and best practices to assess hazards from unauthorised access, use, disclosure, disruption, modification or destruction of your organisation’s information systems. Consider the following when implementing risk management strategies at your organisation:
- Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterisation of all systems used at the organisation based on their function, the data stored and processed and importance to the organisation.
- Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organisation.
Due Diligence When Selecting an ISP
In addition, your organisation should take precautionary measures when selecting an internet service provider (ISP) for use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.
Your clients expect you to take proper care of their sensitive information. You can never see a data breach coming, but you can always plan for a potential breach. If you have concerns in this area at your business or you have any questions, please contact Sam Leeder on 01302 341344.