Where to start with "A Practical approach to Data Protection"
Customer Data Protection
When someone says data protection people's eyes glaze over, it's understandable that the data protection act of 1998 is important not just to businesses but the public in general. The Data Protection Act will however, be replaced in 2018 by GDPR.
Don't worry, this article is not going to depths on the data protection act, instead we want to focus on what you can do to protect your data and the clients data.
This article applies to everyone in business no matter if you are a one man band with client contact details held on your mobile phone, a shop owner who does or does not have to comply with PCI DSS or a multi-national corporation. If you have data about your business and/or your clients held anywhere (even on paper) then this applies to you!
First Thoughts on Security Considerations
As Microsoft Windows has developed, one of the key issues that Microsoft has tried to resolve is that of security. With Windows 10 they have taken a leap forward in protecting your data.
Many people seem to have focused on the working of the licence for Windows 10 and what it allows Microsoft to do; removing counterfeit software etc. Is this wrong? Of course not. In fact if you are in business and your systems have counterfeit software you are opening yourself up to data loss in a big way.
Pirated software usually has additional code in it that allows hackers to gain access to your system and therefore your data. With Cloud Based services these days, using legitimate software should be easier than ever, after all the monthly cost of a copy of Office 365 is a pittance.
Whilst we are on Cloud Based systems, it is worth remembering that unless you encrypt your data on the cloud then chances are it could end up in the wrong hands no matter how security conscious the vendor is. New hardware is already being developed that will take care of this for you, but it isn't here yet, so be warned.
We will come back to security a little later after we have looked at the severe fines that you could incur by not taking Data Security seriously.
This is about BIG companies isn't it?
No, definitely not, your companies data security is the responsibility of everyone in your company. Failing to comply can be costly in more than just monetary terms.
Throughout this article I will drop in a few rulings from the ICO that demonstrate how important it is to take these issues seriously. This is not an attempt to scare you, neither is it a marketing ploy of any sort; many people believe that getting "caught out" will never happen to them, in fact it can happen to anyone who doesn't take reasonable steps to protect their data.
Here some recent rulings detailing action taken in the United Kingdom by the Information Commissioners Office:
Date 16 April 2015 Type:Prosecutions
A recruitment company has been prosecuted at Ealing Magistrates Court for failing to notify with the ICO. Recruitment company pleaded guilty and was fined £375 and ordered to pay costs of £774.20 and a victim surcharge of £38.
and here's another:
Date 05 December 2014 Type:Monetary penalties
The company behind Manchester's annual festival, the Parklife Weekender has been fined £70,000 after sending unsolicited marketing text messages.
The text was sent to 70,000 people who had bought tickets to last year's event, and appeared on the recipients' mobile phone to have been sent by "Mum".
Let's look at the simplest way in which you can protect your data. Forget expensive pieces of hardware, they can be circumnavigated if the core principles of data protection are not addressed.
Education is by far the easiest way to protect data on your computer's and therefore in your network. This means taking time to educate the staff and updating them on a regular basis.
Here's what we discovered - shocking practices
In 2008 we were asked to perform an IT audit on an organisation, nothing unusual, except that a week before the date of the audit I received a phone call from a senior person in that organisation, the call went something like this:-
"We didn't mention before that we have had our suspicions about a member of staff in a position of authority. He seems to of had a very close relationship with the IT company that currently supports us. We also suspect that he has been completing work not related to our organisation using the computer in his office. When we told him about the up-coming IT audit he became agitated and the more insistant we were that he should comply, the more agitated he became".
This resulted in this individuals computer being the subject of an all but forensic inspection, apart from an un-licenced game, we found nothing and believing that the information we were looking for may have been deleted we performed a data recovery on the disk drive.
The results caused consternation and required us to contact the IOC. We found a lot of very sensitive data that did not belong
