Many business owners register with the data commissioner’s office. After all that is a legal requirement of any business that holds personal information.
The Information Commissioners Office (ICO) defines personal data as any data from which an individual can be identified.
Few understand the implications of registering. The registration fee is, at time of writing, just £35.00 and the fines for not doing so can be very significant.
You may not realise that you have a responsibility to protect personal data, or if you do, you may not know what that really means. You filled in the form, answered the questions and paid the fee. Done for another year right. Wrong!
Here are some simple steps you can take to prevent you from becoming the next news headline for sensitive data leakage.
So here are the things you should do to secure your PC systems.
1) Buy a proper Anti-Virus Solution, don’t rely on free software.
2) Patch your operating system regularly. If it isn’t patched up to date then it is venerable to attack.
3) Use a good firewall system. I prefer hardware firewalls but these are no good for mobile computing.
4) When mobile, don’t just connect to any free Wi-Fi in range! – The number of people that do this is staggering and it is fast becoming the hacker’s favourite way to get and sell on to others for profit personal information. If you really want to see this being done watch this fantastic video from Trend Micro’s Rik Ferguson
5) Laptops / smart phones /tablets should also be password protected and where possible hard drives of these should also be encrypted.
6) If you are sending personal data – you MUST encrypt it. There are many products out there to help you encrypt storage devices such as memory sticks and CDs. If you leave it on a train make sure it is useless to journalists!
7) USE COMPLEX PASSWORDS – See my earlier blog on how to create and remember complex passwords. Also how to have different passwords for each web site and never forget them or need to write them down. Rock solid, tried and tested system.
8) Train your staff – Make sure they understand THEIR RESPONSIBILTY to protect sensitive data. Remember any information that can identify an individual is sensitive.
9) Physical security. Check you lock and secure your hard drives. If the drives are encrypted then a thief gets the computer but not the data. Store your backups on encrypted drives OFF SITE.
The best way to compromise personal data, write down your password and stick it on your monitor so the thief doesn’t have to waste time with password crackers when he gets your kit home. Think about it.
10) Cloud based storage? – Be SURE it is being stored in the EU to comply with data protection European Standards. The US standards are fine too but if you are going to store information in the cloud, ask the question “Where will my data be held?”
11) NEVER give you password to anyone over the phone. Why would anyone else ever need it?
12) Staff should not know each other’s passwords. If you organise your data and security on your systems correctly then no one should ever need to know anyone else’s password. For their own protection staff should be made aware that they risk breaching data protection guidelines by doing so. This is serious stuff.
You don’t need to know your staff’s passwords either. For your own protection don’t do this either.
Your account or in larger companies, your system administrators account, has the ability to re-set anyone’s password without knowing what it was. Anytime a password is reset, it is logged in the system security log that this has happened.
This protects the user’s rights whose password has been reset. When they return to work they should immediately change their own password so they alone know it once more.
13) Never enter personal data into web sites that do not at least use HTTPS rather than HTTP. To be sure you are entering the data safely; you should see no warnings about certificate errors. If you do, close the browser and contact the web site owners.
Apart from the technology side of things you should also think about some of the everyday basics too.
14) Keep printing of documents with sensitive data to a minimum.
15) Shred unwanted personal information – Use a cross shedder
16) Shred unwanted data CDs too – Only if they hold unwanted personal data.
17) Have a clear desk policy. Paperwork left on desks doesn’t need a password to read.
This is by no means an exhaustive list. I strongly recommend you visit this page on the
ICO web site.
Also download the ICO’s IT Security Practical Guide.