Cyber security – Managing the risk

For cyber risk to be adequately addressed, cyber security strategies should be secure, vigilant and resilient and identifying the risks is a good place to begin.

Workplace Risks

  • Sensitive information on the walls and left uncovered on desks
  • Sharing passwords/passwords kept in easy to find places
  • Unlocked computers

Home Risks

  • Document disposal is not secure
  • Unsecure networks
  • People overhearing discussions or viewing sensitive information
  • Documents left lying around
  • Burglary
  • Use of personal social media accounts may create a risk

On The Move Risks

  • Discussing sensitive information in public areas
  • Your security pass is easily accessible/visible to the public
  • Equipment is left unattended even for a brief moment
  • Sensitive documents are in clear view of onlookers

Get Technical – protect company equipment:

Malware protection: install anti-virus solutions on all systems. Consider restricting access to inappropriate websites to lessen the risk of being exposed, maybe create a policy governing when and how security updates should be installed.

Network security: increase protection of your networks, including wireless networks.

Secure configuration: maintain an inventory of all IT equipment and software.

Managing user privileges: restrict employees and third-party access to IT equipment, IT systems and information to the minimum required.

Home and mobile working, including use of personal devices for work: ensure that sensitive data is encrypted when stored or transmitted online so it can only be accessed by authorised users.

Removable media: restrict the use of removable media such as USB drives and protect any data stored on such media to prevent data being lost and malware from being installed.

Monitoring: monitor use of all equipment and IT systems, collect activity logs, and ensure that you have the capability to identify any unauthorised or malicious activity.

Ensure the correct policies are rolled out to the employees based on home working and remote working. These policies will detail the specifics on how the employee is responsible for mitigating the risks when working from home or on the move.

Training can also be rolled out to educate employees on the risks, the signs of potential breaches and how to mitigate these. For example how to conduct their business when working in exposed public places.

Make sure HR work closely with IT to incorporate appropriate IT training and schedule regular IT ‘check ups’ for employees workplace devices.

We hope you enjoyed our article, look out for tomorrow’s blog; “Cyber security – How HR can help”

Get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.

Call +44 203 538 5311, email: hello@hrrevolution.co.uk or visit www.hrrevolution.co.uk  where our expert CIPD HR professionals are waiting to help you with any questions you may have.

HR Revolution; supporting you, your employees AND your business.

 

Cyber security – What are the responsibilities?

It is a company’s responsibility to identify information that could be at risk and needs to be protected and also understand the ethical, legal and regulatory requirements relevant to holding and protecting such information.

The company also needs to establish policies and procedures to manage the risks and reduce the impact to the business should a breach occur. Companies can do this through training employees, contractors and suppliers etc. on the policies and procedures in place; this will ensure they are aware of what is required of them.

The company will need a mechanism for managing and reporting cyber security incidents ensuring they do not transfer ownership of risk through outsourcing.

Companies are legally bound by certain acts within the law, the most important being the Data Protection Act 1998. There are eight principles to follow however the following two principle’s are worth  highlighting:

Principle 7 – Information security; Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Principle 8 – International; Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

All other legal requirements to be followed can be found in the Companies Act 2006 and Computer misuse Act 1990.

What are the employee responsibilities?

It is important for employees to be aware of the potential risks in their day to day tasks. They need to be aware of and adhere to companies security policies and procedures and understand their personal, legal and ethical responsibilities for protecting the business.

There is always a real and present danger and both companies and employees need to be aware of the damage that can be caused by a cyber incident. Here are some statistics from 2016:

46% of small businesses experienced at least one cyber security breach or attack in the last 12 months (2016 – 2017).  The average business faced costs of £1,570 as a result of these breaches.

(April 2017, Cyber Security Breaches Survey 2017)

Cyber breaches are caused by system failure, human error or maicious acts.  Not only resulting in the loss of revenue and damage to the companies reputation, but a potential for personal and professional embarrassment, potential legal action and possible career consequences.

HR can put systems in places to monitor:

  • Employees working unusual hours
  • Employees requesting access to information that they are not allowed
  • Employees who are leaving with a thorough exit interview
  • Sharing of passwords
  • Sharing of computers
  • Using company computers for personal emails and social accounts
  • Emailing confidential information without adequate protection
  • Emailing confidential information to organisations external to the company without adequate checks.

We hope you enjoyed our article, check in tomorrow for the next blog in this series: “Cyber security – Managing the risks”

Why not get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.

Call +44 203 538 5311, email: hello@hrrevolution.co.uk or visit www.hrrevolution.co.uk  where our expert CIPD HR professionals are waiting to help you with any questions you may have.

HR Revolution; supporting you, your employees AND your business.

 

Cyber security – What is it and what does it mean?

Cyber security is the protection of computers, networks, programs and data from unintended or unauthorised access, change, theft or destruction. It is a company’s responsibility to protect and keep secure data such as;

  • Personal information – names, addresses, NI numbers, ethnicity, bank details
  • Customer information – financial data, business data

A breach is cyber security can greatly affect you and your business so it is important to understand what the potential risks are and where they come from to be able to guard against them.  Let’s go through some key points to be aware of:

Firstly you need to understand the main things that are at direct risk in the event of a security breach: your money, your information/data and your reputation.

So you know what’s at risk,  now you need to know who could pose a risk?

  • Negligent employees
  • Disgruntled employees that may have malicious intent
  • Business competitors for economic advantage
  • Criminals for financial gain

A breach in your Cyber Security can be carried out in many different ways including:

  • Theft/unauthorised access
  • Remote attack / hacking
  • Attacks on third party systems i.e. company bank account
  • Accessing information from employees

Ok so now you know what is it at risk, who might want to carry out a cyber threat/attack and how they might do it, but do you know what the fundamental impact is on your business? The bottom line, a Cyber attack can result in:

  • Financial loss from theft
  • Financial loss from disruption to trading
  • Loss of business from bad publicity/damage to reputation
  • Costs for cleaning up effected systems
  • Costs of fines if personal data is lost
  • Damage to companies you work closely with

All of the above can truly be the undoing of a business.

There are many different types on Cyber Security attackers: 

Opportunists – Usually attack for personal gain, reputation or financial gain. They only target organisations when an easy opportunity presents itself.

Cyber Criminals – Steal information e.g. credit card or bank details for financial gain.

Hackers – Usually attack for financial gain and the breaking of a secure site. Hackers access information or deface websites for political or ideological ends.

Insiders  Usually disgruntled or dishonest employees who destroy or steal information to cause embarrassment. They may damage or steal equipment to disrupt the business. Employees may mistakenly send confidential information to the wrong recipient.

And they have many ways in which they will carry out an attack: 

Social media exploitation  – Is the act of using sites, such as Facebook, Twitter etc. to attack a computer system

Hacking – A type of remote attack to gain unauthorized access to data in a system or computer, mainly via personal IT equipment

Phishing – Fake emails and/or web links.

Malware – Software with a hidden function to capture data. This software can also encrypt workstations and demand ransom money.

Denial of Service – A type of attack that is designed to bring a network to its knees by flooding it with useless traffic, preventing legitimate users from accessing information or services.

Insider threat – Is a malicious attack perpetrated on a network or computer system by a person/employee with authorized system access.

One of the  most common attacks is fake emails, and we have all had them, but if you are unsure if an email is real or not follow these tips: 

  • Do I recognise the senders email address?
  • Do I know this person?
  • Is this their usual email address?

Note: Be aware, spammers attempt to send email using your legitimate friends, colleagues or family email addresses. They may have obtained these email addresses from contact lists using malware installed on their computers

Emails should always have meaningful subject lines. Ask yourself these questions:

  • Does this email subject look unusual?
  • Are there spelling mistakes?
  • Is there excessive punctuation?

Out of the ordinary or poorly written subject lines may hint to a fraudulent or spam email.

Lastly be wary of links in emails, they can be easily disguised and may take you to malicious websites.

We hope you enjoyed our tips and advise on Cyber Security and what to look out for, check in tomorrow for the next blog in this series: “Cyber security – what are the responsibilities”

Get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.

Call +44 203 538 5311, email: hello@hrrevolution.co.uk or visit www.hrrevolution.co.uk  where our expert CIPD HR professionals are waiting to help you with any questions you may have.

HR Revolution; supporting you, your employees AND your business.

 

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU), and will apply from 25 May 2018, changing the way businesses manage personal data.

GDPR’s main concepts and principles are much the same as the current Data Protection Act, so most of your approach to compliance will remain valid under the GDPR and can be a great point to start from. However, the GDPR does come with some new elements which you will need to change and incorporate into your current processes and practice. Here we highlight the key areas you need to be aware of and act upon:

Awareness:  This may seem simple but you must make key people aware that the law is changing to the GDPR.

Information you holdIt will be necessary to document all the personal data you hold including where it came from and who you share it with.

Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes.

Individuals’ rights: Check your procedures to ensure they cover all the rights individuals have.

Subject access requests: Update procedures and plan how you will handle requests within the new timescales

Lawful basis for processing: Identify the lawful basis for processing activity, document it and update your privacy notice to explain it.

Consent: Review how you seek, record and manage consent. Refresh existing consents if they don’t meet GDPR standards.

Children: Put systems in place to verify individuals’ ages and to obtain parental or guardian consent.

Data breaches: Put procedures in place to detect, report and investigate a personal data breach.

Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party. Work out how to implement these.

Data Protection Officers: Designate someone to take responsibility for data protection compliance. You should consider whether you are required to formally designate a Data Protection Officer.

International: If your company operates in more than one EU member state, you must determine your lead data protection supervisory authority.

Although the new law doesn’t come into effect until May 2018 it’s a good idea to start protecting your data as best you can now.

Cyber security is a huge part of GDPR and this week our blogs will help you to understand what you need to know.

Look out for our blog tomorrow “Cyber Security, what is it?”

Get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.

Call +44 203 538 5311, email: hello@hrrevolution.co.uk or visit: www.hrrevolution.co.uk  where our expert CIPD HR professionals are waiting to help you with any questions you may have.

HR Revolution; supporting you, your employees AND your business.