Data Security Basics
Over the last decade, the world has become increasingly more accessible through digital platforms. Incredible leaps have been made, however this does come hand in hand with increasing concerns about the security of personal information. At Juniper, we’ve both had experience as Chief Information Security Officers, implementing and maintaining ISO 27001 within a business, as a result, we always have data security in mind.
Passwords
The first line of defence for any system a business uses to store or manage data should be a robust password policy. In order to ensure maximum protection, there are a few fundamentals every business should have in place:
Ensure passwords are complex (three random words like ‘foxtrainhoney’ is common practice)
Ensure that the same password is not used on multiple systems, keep each unique
Passwords should never be written down
Passwords should never be shared
Updates
Updates are key to keeping things secure, they’re often released due new vulnerabilities being created because of ever more creative malicious attacks. A website with out of date plugins poses a great security risk to a business, particularly if the website database contains important customer data.
First and foremost, we recommend switching on auto updates on personal computers and browsers - security updates are released frequently for both Windows and MacOS as well as on most major browsers, so switching on auto updates saves the hassle of remembering to keep on top of them.
For businesses with a website which includes a Content Management System (CMS), we recommend with having an agreement with an agency to keep on top of CMS and plugin updates. Juniper opts to use Squarespace for building the majority of our websites because updates are managed by Squarespace as part of the monthly subscription which ensures everything is always up to date and secure.
Two factor authentication
Two factor authentication is now available on most software systems. The purpose of two factor is to ensure that if a user logs in to a piece of software, they first have to verify who they are via a second method.
There are many different options for how to do this, sometimes it may be via a text message which is sent to a number which was registered against that account. When the user tries to log on, they are asked to enter a code which has been texted to them and this prevents a third party from gaining access to that system (unless they have the persons phone handy of course!).
Access to your systems
As we mentioned earlier in this post, we recommend strongly that passwords are kept secure and not shared, even within a business. By adding user accounts, rather than sharing password information it ensures that control over the top level administration of an account is kept safe.
For example - often when hiring an external agency to develop a new website, a business will need to provide access to their existing website or domain control. By adding a new user type, the business sharing the information can control the permission levels of that new user and protect against theft or unwanted changes being made. In the unfortunate situation where a business relationship doesn’t work out, this also means that a user account can easily be deactivated rather than risking an external party having access to vital systems.
Phishing
Phishing is the act of sending out fake emails in order to try and obtain information, access to systems or money from someone through deception. Over the years, the emails have become more elaborate and difficult to spot and so it’s hardly a surprise that phishing is one of the most successful methods used to catch people and their businesses out.
There are are a few things you can look out for when receiving an email to try and identify a phishing attempt:
Does the ‘from’ email address look correct, if it’s from someone familiar, is the email address different from usual or does the domain not match?
Does the language used in the email seem incorrect?
Is the email asking you to click a link and supply information or reply with personal information or financial details?
If there’s a logo included (e.g. in the footer) is it correct?
Our advice is that if there is any chance that an email could be a phishing attempt, it should be deleted immediately. No reputable business will ask for personal, confidential or financial information to be shared via email.
Right to erasure
One of the things introduced by the UK GDPR was an individuals right to erasure, or right to be forgotten. There are a number of circumstances where a person has the right to request that their personal details are erased:
They have requested to be removed from a mailing list they have subscribed to
The data that has been collected about them is no longer necessary, the original purpose for storing the data is no longer relevant
The individuals data has been processed without their consent
The individual who the data belongs to is a child
There is full detail available through the ICO website explaining how to appropriately handle requests for erasure of data and what individuals rights are.
If you’re looking to improve the security in your workplace, or gain piece of mind when it comes to dealing with your customer’s data, we could help you. Juniper has experience with embedding ISO 27001 into multiple businesses and maintaining through inspection, if you’d like to chat to us more about how we might be able to help your business, please do get in touch.