2017 has been a year of high-profile data breaches, bringing data security to the forefront of public attention once again, and going some way to damaging the trust placed in organisations to look after personal data.
Data breaches can cause long-lasting damage to an organisation’s reputation, but it’s not just about brand image – organisations have a legal responsibility to keep data safe, with heavy penalties a possibility for those that fail to.
With so much at stake, what can organisations do to secure their data against threats?
The role of HR
While data security is an IT issue from a technical standpoint, HR departments have a key role to play in making sure that data security measures are baked into an organisation’s design and roles. This includes ensuring that the right skills are developed to improve the effectiveness of controls, and that people processes are followed when enforcement is necessary.
Breaches are often caused by bad practice or employee oversight, such as working on public networks, losing a device containing sensitive information, or weak access controls. Recently a USB stick containing sensitive Heathrow security data, including details of the Queen’s route to the airport and security measures, was found on a London street, highlighting the precariousness of unencrypted devices.
While it’s difficult to totally remove the human factor from data security, weaknesses can be kept to a minimum with effective training. It is HR’s responsibility to ensure that everyone is crystal clear on the importance of data handling and security, and the damage that a breach can cause.
The triple A’s of network security
It is vital that your organisation has effective control over access to its network, and the ability to track the activity of users. To this end, the “AAA” best practice helps organisation’s control access in three steps: Authentication, Authorisation and Accounting.
Authentication – this is the process of verifying that someone is who they say they are. Despite the emergence of more high-tech methods of user authentication, passwords are still one of the most effective ways of protecting information. A strong password policy acts as a first line of defence against would-be hackers.
Simple strategies such as enforcing periodical password changes, blacklisting common passwords, setting a minimum password length, or outlining password complexity requirements will go some way to mitigating the risk of someone assuming your identity.
Weak password recovery validation mechanisms are also an issue to consider – for example when the information required to reset a lost password is too easily guessed, especially using social media posts or online databases.
You can also go a step further with two-factor authentication, which adds an extra layer of security by requiring user-specific information alongside the traditional password. This extra layer could be provided by a code from a security token, a smartphone app, SMS, or even biometrics.
Authorisation – this is the process of granting or denying access to a user, and enables organisations to control which data can be seen by which people by assigning different authorisation levels. Essentially, this allows you to limit user access only to the data needed for the performance of their work. The process of validating access when staff change roles or during off-boarding is often only as effective as the HR processes.
Accounting – this is the process of recording and documenting user activity on a computer network for audit purposes. Auditing should be a key part of any GDPR programme; after all, in the event of a breach, the last thing you want is to find that auditing wasn’t turned on, or that the breach had been going on for months with nobody checking the logs.
The AAA framework is such an effective way of monitoring and recording an action that its steps are used in many non-IT situations. Take most transactions, for example – your credit card confirms who you are (authentication), your bank then confirms that you have an active account with sufficient funds (authorisation), and the receipt records the fact that the transaction took place (accounting).
Encryption is a process that changes information to make it unreadable to anyone unauthorised to access it. The only way to effectively read encrypted data is by using a key or passphrase, which then decrypts the data into a readable form. Data encryption won’t stop your system being hacked, but it will make it much harder for anyone to use the data they steal, acting as a last line of defence against hackers.
Data can be encrypted when in transit, i.e. when being sent from one place to another, or when at rest, i.e. in storage. Encryption of data in transit is now seen as standard, with encryption of data at rest seen as increasingly important.
The nature of data security threats, as well as the measures designed to prevent them, are constantly changing. Make sure that you stay up to date with the latest news around vulnerabilities, data breaches and hacking trends. Learn from these events and change your systems accordingly.
Organisations are increasingly focussing on compliance with internationally recognised security standards such as ISO 27001 and ISAE3402. These provide independent assurance that an organisation’s controls have been designed and implemented to adhere to a specific set of criteria. And by checking certificates and receiving clean security reports such as SOC 2, you can build assurance in your supply chain.
SOC 2 assurance is carried out by independent and qualified auditors, with reports based around core principles and criteria that are assessed for objectivity, measurability, completeness and relevance to exacting auditing standards. A SOC2 Type II report includes transparency on an assessment and can be used to help external auditors provide assurance that an organisation is compliant with legal frameworks such as Sarbanes Oxley (SOX).
Where other assurance standards (such as ISO 27001) simply require you to pass periodical audits, providing a data security snapshot at the time of assessment, SOC 2 uses evidence from transactions over a long-lasting period to validate internal practices. An annual report covering a 12-month period ensures controls are checked on a continuous basis, and is the top level of independent assurance.
Organisations investing in a SOC 2 report should make sure they are familiar with the scope statement and controls matrix outlined in the report, as these are critical to understanding the actual results of the audit.
Here at MHR we take data security very seriously. As a result, we now offer full SOC 2 Type II audit reports to our customers, with a total of 105 controls.
Our customers can also make use of our transparent data encryption (TDE) service, ensuring all data is fully protected when in transit.
If you are a customer of MHR and would like more information on any of these services, please feel free to contact your Business Development Manager, or alternatively please contact us at firstname.lastname@example.org or call 0115 945 7713.