Continuing his scene-setting series on the general data protection regulation (GDPR), Stewart Twynham sets the baseline for what any organisation should have in place ahead of the new regime.
In 2014, Whitehead Nursing Group issued a laptop to a member of staff who took it home. It was stolen during an overnight burglary - and contained personal data relating to 29 residents of the nursing home along with 46 staff.
Content seriesView full content series
In August 2016, the group was issued with a £15,000 penalty from the Information Commissioner’s Office (ICO).
Although the theft was a criminal act, the ICO investigated and discovered that the laptop was routinely kept in an unlocked office and that it was normal practice for nurses to take the laptop home to complete outstanding work.
The data was unencrypted and the nursing home had no policies governing the use of encryption, homeworking, the storage of mobile devices, nor did it provide any data protection training for its staff.
Most data protection fines aren’t issued because organisations have poor controls in place - they’re issued because there are no controls in place.
In this article I am going to look at some of the baseline controls and policies that all organisations should use.
HR and staff security
If your business is large enough to warrant an employee handbook, then it’s large enough to need some basic security policies.
- Screening. Candidates for employment, contractors and third party users should all undergo background verification commensurate with risks.
- Security awareness and training. Staff who process personal data should receive training on the obligations relevant to their job function.
- Disciplinary processes. A formal process should be defined for employees who have committed a security breach.
- Termination or change of employment. All assets including devices, media and data should be returned and access rights revoked or updated upon termination or change of employment.
Larger businesses normally choose to record all assets, but as a minimum all entities should:
- Keep a register of portable assets. This includes all devices which could be used to store personal data such as portable drives, USB devices, media cards, cameras, laptops, smartphones, tablets, etc. Include model and serial numbers to aid identification and establish whether vulnerabilities might apply to them in the future. Bright asset labels can help flag up unauthorised devices around the office.
- Acceptable use of assets. A policy should clearly define the use of business assets, for example how laptops are to be secured off premises and in transit, and requirements for homeworking such as mandatory data protection training and line manager approval.
- BYOD policy. The acceptable use of personal equipment (“Bring Your Own Device”) should be clearly defined. Prevent ad-hoc use of any removable media or storage which is not owned by the business.
- Replace equipment that is no-longer supported. Unsupported equipment will no longer receive critical updates and should be replaced as soon as possible.
- Securely dispose of redundant equipment, data and media. Arrange for equipment to be wiped, destroyed or securely stored. Do not accidentally destroy the only copy of personal data which would be notifiable.
- Secure assets and devices with strong passwords. Use Two-Factor Authentication (2FA) where supported. A later article will cover passwords and 2FA in more detail.
- Apply the rule of least privilege. Staff do not need to browse the web or open e-mails with Administrator or Root privileges. Access restrictions can limit the impact of phishing and malware.
- Change default passwords and settings. Installed software, firewalls, printers, routers, backup drives, security cameras and so on can all ship with weak or insecure passwords. In order to make things “plug and play” many devices also include remote management tools and services that are all switched on by default. These security back doors should be disabled.
- Secure cloud and supplier accounts. Don’t overlook accounts that are rarely used, such as domain registrar and/or DNS. These are an easy way for an attacker to hijack your e-mail, web services or set up a fake SSL certificate in your name.
Encryption is a necessary part of GDPR but not a magic bullet. Cryptography can also be used to confirm authenticity, for example by signing e-mails.
- Set desktops, laptops and other devices to encrypt all data at rest. This encrypts the whole drive, so machines will require a password just to boot up. Any data is inaccessible if the device is stolen.
- Use encryption to secure all data in transit. Personal data should be encrypted before being copied onto mobile devices, storage or to the cloud. Some devices offer automatic encryption - make sure you understand how this works and any limitations that the device might have (some devices may not encrypt in real-time leaving the possibility that data on the device isn’t fully protected if ejected unexpectedly).
- Check encryption settings are correct. Software and devices can ship with weak settings by default. Ensure you understand how these settings work.
- Manage encryption keys securely. Make sure that any encryption keys are stored securely and cannot be stolen with the information, or lost so you cannot access it either.
- Wrap everything into an encryption policy. This should clearly set out when encryption should and should not be used, for example you may choose to sign all email instructions to data processors, but only require encryption if it contains personal data.
Physical and environmental controls
- Ensure an appropriate level of physical security which is commensurate with the risks. This might include walls, fences, manned desks, security guards, locked doors and cabinets or security bolts fitted to portable equipment.
- Use a media-rated fire safe. This will provide a safe place to store media and backup devices (rather than on desks or in drawers) and give protection from fire and casual theft.
- Use an uninterruptible power supply (UPS). This should be configured to automatically shut down servers and/or desktops safely in the event of power failure.
Communications and operational security
- Use the principle of separation. Keeping things separate is at the heart of any defensive strategy. Separating systems can help keep assets out of reach of malware. Separating roles (where two people have to agree) can help to prevent fraud or mistakes.
- Separate departments into different networks with only necessary communications allowed between them. This can help prevent the spread of malware over ad-hoc file shares.
- Use a dedicated machine for online banking and don’t use it for normal web browsing or email.
- Keep work and personal devices separate. Don’t allow work devices to be used by family members for casual surfing and don’t allow unapproved home devices to be used on the work network.
- Do not allow guests onto your work network. Set up a guest WiFi network if Internet access is regularly needed and don’t allow company devices onto this network.
- Install anti-virus software. The best anti-virus software may not be the free one-year subscription that came bundled with your laptop, so be prepared to shop around. Understand that most anti-virus struggles with the very latest threats including ransomware and file-less attacks - so don’t assume it’s a magic bullet.
- Update your software. Any piece of outdated software is a potential route in to your computer network - so keep every application up to date. The “automatic updates” box doesn’t include all software; some will need to be updated manually, and some software may only check the next time it loads or exits. Critical security patches should normally be installed within 14 days.
- Update your firmware. Hardware devices need updates too - this is called firmware. That means everything from your desktops and smartphones through to your Internet router, network printers, security cameras and removable drives.
- Configure mobile devices for maximum security. Turn on PIN/password protection, and features such as remote tracking, remote locking and remote wiping.
- Use a firewall. Most computers have a software firewall built in - this provides useful protection once you are outside your home network - so make sure it’s turned on. Small businesses should consider installing a dedicated hardware firewall between their Internet router and internal network and ensure that it is correctly configured and that management access is restricted.
- Only install legitimate apps. Only download software from safe sources such as the Apple or Google Stores or vendor websites. Consider using settings which prevent normal users from installing their own software.
- Avoid using USB devices and other removable media to exchange files externally. A cloud sharing site such as Dropbox or Google Drive reduces the risk of malware being transferred into your network. Personal data should be encrypted.
- Don’t use public WiFi connections. 4G mobile tethering or a USB dongle should be used unless you can securely connect via your work VPN.
System acquisition, development and maintenance
For many businesses, their website will be their first bespoke piece of software - being Internet facing it is essential that any personal data is protected.
- Develop web applications in line with best practice. Use commercial standards such as the Open Web Application Security Project (OWASP) or the SANS Top 25 to guide you. If you accept credit card payments, you should comply with PCI DSS.
- Keep underlying frameworks up to date. Many web applications are built on top frameworks (such as .NET) or existing products (such as Wordpress or Umbraco). These should be maintained and kept up to date.
- Test your website. Websites should be penetration tested prior to launch, then at least annually and after any significant upgrade.
Something new in GDPR Article 28 is a strict requirement regarding contractual terms that must be in place with data processors. I will cover the practicalities of this in more detail in a later article.
- Backup your data and systems. Make sure everything you require is included on the backups. This may require you to shut down software and databases to allow access to all files. Because of the danger of ransomware you should never keep backup devices permanently connected to your computer or network. A good methodology is to rotate a minimum of three backup devices so that at least one device always remains securely off-site at all times.
- Test your backups regularly. Keep a separate machine securely off site which can be used to test backups and provide a platform for rapid recovery in the event of a system disaster. This machine should also be fully encrypted.
- Encrypt your backups and keep them secure. Protect your backup drives and ensure that the data on them cannot be accessed in the event of loss or theft. Keep old backup drives and tapes secure or have them destroyed.
Next time: The evolving threat - who and what we’re protecting against and understanding the elusive nature of privacy.