If you have personal data within your IT system you need to take
appropriate technical measures to secure it. The measures you put in place
should fit the needs of your particular business. However, they don’t have to
be expensive or time consuming. Hopefully, the practical steps in this guide from
the ICO will help you decide how best to manage the security of the personal
data you hold.
Assess the threats
and risks to your business
Before you can determine the right level of security for
your business you will need to review the personal data you hold and assess the
risks to that data.
As part of this consider all processes involved that require
you to collect, store, use and dispose of personal data. Include how valuable,
sensitive or confidential the information is and what damage or distress could
be caused to individuals if there was a security breach.
Get certified with Cyber
There is no single product that will provide a complete guarantee
of security for your business.
The ICO recommends using a set of security controls that
complement each other. Be aware they will require ongoing support in order to
maintain an appropriate level of security.
The UK Government’s Cyber Essentials Scheme describes the
following five key controls for keeping information secure. Obtaining a Cyber
Essentials certificate can provide certain security assurances and help protect
personal data in your IT systems.
The key areas covered by Cyber Essentials are your
and internet gateways
This will be your first line of defence against
an intrusion from the internet.
A well configured firewall can stop breaches
happening before they penetrate your network.
An internet gateway can prevent users within
your organisation accessing websites or other online services that present a
threat or that you do not trust.
Remove unused software and services from your
devices to reduce the number of potential vulnerabilities.
Older versions of some much used software have
well documented security vulnerabilities. If you don’t use it, then it is safer
to remove it than try to keep it up-to-date.
Make sure you have changed any default passwords
used by software or hardware – these are well known by attackers.
Restrict access to your system to users and
sources you trust. Each user must have and use their own username and password.
Each user should use an account that has
permissions appropriate to their role within the business.
You should also only use administrator accounts
when strictly necessary (e.g. for installing known and trusted software).
A brute force password attack is a common method
of security breach and could even be casual users trying to access your Wi-Fi
so you need to enforce strong passwords, limit the number of failed login
attempts and enforce regular password changes.
Passwords or other access should be cancelled
immediately if a staff member leaves the organisation or is absent for long
You should have anti-virus or anti-malware
products regularly scanning your network to prevent or detect threats.
You will also need to make sure they are kept
up-to-date and that it is switched on and monitoring the files that it should
You should also make sure you receive and act
upon any alerts issued by the malware protection.
Patch management and
Computer equipment and software need regular
maintenance to keep it running smoothly and to fix any security
Security software such as anti-virus and
anti-malware needs regular updates in order to continue to provide adequate
Keep your software up-to-date by checking
regularly for updates and applying them. Most software can be set to update
If your system is a few years old, you should
review the protection you have in place to make sure that it is still adequate.
Secure your data in
The physical security of equipment is important
to consider as devices containing personal data could be stolen in a break-in
or lost whilst away from the office.
Ensure that personal data on your systems is
protected against these types of threats.
Prevent or limit the severity of data breaches
by separating or limiting access between your network components. If you can
confine the processing of personal data to a specific section of your network
you may be able to reduce the scope of the required security measures.
Ensure that the same level of security is
applied to personal data on devices being used away from the office.
Many data breaches arise from the theft or loss
of a device (eg. laptop, mobile phone or USB drive) but you should also
consider the security surrounding any data you send by email or post.
Allowing untrusted devices to connect to your
network or using work devices on untrusted networks outside your office can
also put personal data at risk.
Increase the physical security of your office
including storing your servers in a separate room with added protection.
Back-up devices, CDs and USBs should not be left
unattended and should be locked away when not in use.
Ensure that personal data is either not on the
device in the first place or that it has been appropriately secured so that it
cannot be accessed in the event of loss or theft.
Good access control systems and encryption will
help. Encryption is a means of ensuring that data can only be accessed by
authorised users. Typically, a (strong) password is required to ‘unlock’ the
Encryption comes in many different forms and
offers protection under different circumstances.
• Full disk encryption means
that all the data on the computer is encrypted.
• File encryption means that
individual files can be encrypted.
• Some software offers password
protection to stop people making changes to the data but this may not stop a
thief reading the data.
Make sure you know exactly what protection you
are applying to your data.
Some mobile devices support a remote disable or
wipe facility. This allows you to send a signal to a lost or stolen device to
locate it and, if necessary, securely delete all data. Your devices will
normally need to be pre-registered to use a service like this.
If you permit employees or other users to
connect their own devices to your network you will be increasing the range of
security risks and these should also be addressed with a policy on Bring Your
Own Device (BYOD).
Secure your data in
There are a wide range of online services, many incorporated
within today’s smartphones and tablets that require users to transfer data to
remote computing facilities, or “The Cloud”.
Processing data in the cloud represents a risk
because the personal data for which you are responsible will leave your network
and be processed in those systems managed by your cloud provider.
Therefore, you need to assess the security
measures that the cloud provider has in place to ensure that they are
Make sure you know what data is being stored in
the cloud and the geographical location of those servers, current computing
devices, especially those targeted at consumers, can have cloud backup or sync
services switched on by default.
Consider the use of two factor authentication
especially for remote access to your data in the cloud.
Back up your data
If you were to suffer a disaster such as fire,
flood or theft you need to be able to get back up and running as quickly as
Loss of data is also a breach of the DPA.
Malware can also disrupt the availability of
access to your data. Known as ‘ransomware’ this type of malware can encrypt all
your data and only provide you with the means to decrypt the data after payment
of a ransom.
You need to have a robust data backup strategy
in place to protect against disasters but also malware, such as ransomware.
Back-ups should not be stored in a way that
makes them permanently visible to the rest of the network. If they are then
they can be encrypted by malware or the files accidentally deleted.
At least one of your back-ups should be
Train your staff
Your employees may have a limited knowledge of
cyber security but they could be your final line of defence against an attack.
Accidental disclosure or human error is also a
leading cause of breaches of personal data. This can be caused by simply
sending an email to the incorrect recipient or opening an email attachment
Employees at all levels need to be aware of what
their roles and responsibilities are.
Train your staff to recognise threats such as
phishing emails and other malware or alerting them to the risks involved in
posting information relating to your business activities on social networks.
Encourage general security awareness within your
organisation. A security aware culture is likely to identify security risks.
Keep your knowledge of threats up-to-date by
reading security bulletins or newsletters from organisations relevant to your
Be aware of current
Cyber criminals or malware can attack your
systems and go unnoticed for a long time.
Many people only find out they have been
attacked when it is too late even though the warning signs were there.
Check your security software messages, access
control logs and other reporting systems on a regular basis.
Act on any alerts that are issued by these
Have the ability to check what software or
services are running on your network.
Be able to identify if there is something there
which should not be.
Run regular vulnerability scans and penetration
tests to scan your systems for known vulnerabilities – make sure you address
any vulnerabilities identified.
Make sure you have
suitable procedures in place
Good, well written policies will enable you to
make sure you address the risks in a consistent manner, they should be
integrated into current business processes.
Some organisations do not have adequate levels
of protection because they are not correctly using the security they already
have, and are not always able to spot when there is a problem.
Consider the actions you should put into place
should you suffer a data breach. Good incident management can reduce the damage
and distress caused to individuals. With the incoming GDPR you need to be able
to notify the ICO within 72 hours of recognising a data breach.
Review the personal data you currently have and
the protection you have in place.
Make sure you are compliant with any industry
guidance or other legal requirements.
Document the controls you have in place and
identify where you need to make improvements.
Once any improvements are in place, continue to
monitor the controls and make adjustments where necessary.
Consider the risks for each type of personal
data you hold and how you would manage a data breach. This way you can reduce
the impact if the worst was to happen. You should also have an acceptable-use
policy and training materials for staff so that they know their data protection
Minimise your data
Personal data should be accurate, up-to-date and
kept for no longer than is necessary.
Over time you may have collected large amounts
of personal data. Some of this data may be out-of-date and inaccurate or no
Decide if you still need the data. If you do,
make sure it is stored in the right place.
If you have data you need to keep for archive
purposes, but don’t need to access regularly, move it to a more secure
location. This will help prevent unauthorised access.
If you have data you really no longer need, you
should delete it. This should be in line with your data retention and disposal
policies. You might need specialist software or assistance to do this securely.
10. Outsourced IT
Make sure your data is being treated with at
least the same level of security as you would.
Ask for a security audit of the systems
containing your data. This may help to identify vulnerabilities which need to
Review copies of the security assessments of
If appropriate, visit the premises of your
Check the contracts you have in place. They must
be in writing and must require your contractor to act only on your instructions
and comply with certain data protection obligations.
Consider asset disposal – if you use a supplier
to erase data and dispose of or recycle your IT equipment, make sure they do it
adequately. You may be accountable if personal data gathered by you is
extracted from your old IT equipment when it is resold.