Following the recent high profile leaks of sensitive financial and trust related documentation, we set out below some best practice tips for Trustees to protect their business from data attacks:
- Regularly back up data: Implementing regular back-ups of data ensures that critical data will not be lost in the event of a cyber-attack. Data should also be securely stored on off-site servers and/or on cloud storage facilities, and should be encrypted.
- Educate your workforce: Employees are often described as the first line of defence, and the biggest vulnerability, for companies when protecting themselves against cyber-attacks, and are a key part of the PPT (people, processes and technology) defence methodology. Employees must be trained on the different methods of cyber-attacks so that they know the red flags to look out for. Training updates should take place regularly as threats change, and notifications should be sent round as specific threats target the sector. Ideally, your information security team should generate internal ‘fake phishing’ emails to test employees’ ability to identify them. Response rates should be monitored to check that training is having an effect, and those who click on the link, or open the attachment, should receive additional training. There are of course many technological solutions which should be used to protect against attacks but sometimes threats can still find their way through so it is important that employees are alive to this and can recognise a dangerous email or attachment. You should also have an internal reporting policy in place so that a notification can go out quickly to all employees once an attempted attack has been identified.
- Enforce good password practice: If a corporate password falls into the hands of a cybercriminal serious damage could be caused. Good password policies are essential, and must be enforced. All default passwords must be changed; IT systems should automatically reject common or easy to guess passwords (“password blacklisting”); password sharing must be prohibited; account lockout and protective monitoring should also be deployed (brute force password attacks should not be possible). It should be noted that there is now differing guidance as to what constitutes a ‘good’ password. For example, the National Cyber Security Centre now advocates the use of passwords formed of three random words rather than combinations of letters, numbers and special characters, because the use of letter/number/special character combinations encourages password re-use between accounts, and the writing down of passwords, both of which are significant security risks.
- Use Encryption: All laptops, tablets, mobile devices and any USB sticks which employees may use outside of the office should also be effectively encrypted to minimise the exposure risk to the company should these devises fall into the wrong hands. All data should be encrypted both at rest (i.e. data which is not moving and is stored on a hard drive, laptop, flash drive, or archived) as a minimum, and ideally more sensitive data should also be encrypted when it is in transit (i.e. when it is being moved between devices or networks). Encryption must be effective, so regular consideration must be given to whether an encryption methodology remains secure. Passwords must never be stored in plain text and should always be salted and hashed, and care must be taken as to where encryption keys are stored.
- Promote an internal security policy: Aside from cyber-attacks, companies can still be exposed to threats through their own poor management of data. For example, an employee might leave a printout of a sensitive document, or a device full of confidential data, in a public place. With this in mind it is important to have an internal corporate policy in place which (i) emphasises the importance of the proper disposal of paper-based documents; (ii) discourages employees from taking sensitive hard copy documentation outside of the office; and (iii) prohibits employees from using their own personal email accounts, laptops, or personal cloud storage to store sensitive information.
- Breach response plan: Whilst it is sensible to take steps to ensure that your business does not fall victim to a data breach, you still need to have a plan in place to deal with the fallout from a data breach and you should take steps to test that plan against different breach scenarios. The plan should set out a clear decision making protocol (including at board level) and set out a list of immediate next steps with responsibility already assigned. If you do not have the necessary in house specialist legal, forensic IT and PR support then you should have in place preferred external providers that you can call on in the event of an emergency.
- Insurance: Review your insurance policy to check whether your business would be covered for any losses it suffers in the event of a cyber-attack. If your current policy does not provide adequate cover for the business, consider obtaining a specialist cyber liability insurance policy.