![[X] Close](http://www.idealmarketingcompany.co.uk/idealblog/wp-content/themes/ideal_marketing_2010/images/close.png)
Are you ready for the changes to PCI? Putting data security at the top of the agendaFive top tips for ensuring data security in your organisation
One of The Ideal Marketing Company’s clients, It firm Eximium, was contacted to write about how to secure data following a number of high profile problems within Government departmenst . In this reproduction of his article Derrick Cameron, Managing Director of Eximium, explains how to ensure that you are prepared for the changes.
Data is a valuable commodity in business and its protection has recently become a high profile issue with reports of repeated security breaches at Revenue and Customs (HMRC) still making the news. Add to this the fact that few companies are adequately prepared for the new PCI legislation which comes into effect this summer, and it becomes evident that data security is an issue that many organisations need to put at the top of their agenda.Your organisation may well have spent a lot of time and money ensuring that the data you use is well secured within your computer systems through limited access, passwords, encryption etc. But information exists to be used, and once it leaves your computer systems its security is immediately at risk. With the coming PCI legislation, you will be compelled to put stringent procedures in place to ensure data is protected once the information leaves the security of its virtual world. It is always better to plan and prepare for change rather than have it foisted upon you, so my advice to business owners and managers is to review security procedures and put new measures in place – before the new legislation forces your hand.
1. Identify where you are vulnerable Start by reviewing your own systems and identifying all the potential ways that sensitive information could find its way out of your systems, and then make sure you have strict policies and safeguards to address any areas of risk. If different organisations’ systems are able to talk to each other, passing data using insecure mediums such as CDs or flash drives is unnecessary. However, this ideal scenario is still a long way in the future for many companies, so if this isn’t possible, at the very least you need to ensure that security procedures for the physical world are at least as stringent as those for the virtual world inside your computers.
2. Protect your data in the ‘real world’ When data is transferred between parties it is at its most vulnerable, so use the safest transfer processes you can. Electronic transmission methods, such as secure FTP (File Transfer Protocol), or a secure site to site connection using a leased line or a VPN (Virtual Private Network) over the Internet are both preferable options that ensure data cannot be seen by unauthorised personnel. If you have no choice but to resort to using CDs or other ‘removal media’ for the transfer of sensitive information, don’t use couriers or postal services unless absolutely necessary. It’s far more secure for an employee to hand deliver the media, making sure that it has reached the correct personnel at its destination. You also need to have a policy on what happens to the media once it has been used – ideally it should be returned to the source to be destroyed. Whilst this isn’t a foolproof method, it does enable you to track your data and ensure its safe return. 3. Communicate with your staff Unfortunately, many security breaches are committed by an organisation’s personnel – often unwittingly. Hacking, and other deliberate attempts to access secure information often begin as an approach from someone trying to get sensitive information from an employee, using a confidence trick – known as social engineering. A social engineer may pretend to work for your company and get an unsuspecting member of staff to reveal confidential information. For example, by pretending they work for your company’s IT section and asking for your employee’s password to confirm their login details are working. Once in possession of this information, an experienced social engineer can access your sensitive data however and whenever they want to.If you want to prevent this happening in your organisation, make sure that you communicate with your staff. Don’t assume that everyone has the same understanding of data security as you do. As the manager, owner or director of an organisation, it is your responsibility to ensure that those who work for you understand the what, why and how of data security. Your staff must know which data is sensitive, why, and how to protect it. Only when they have this knowledge and understanding can they be expected to ensure its security. 4. Put policy into practice Your starting point should be a clear and practical data security policy which everyone is aware of, has read, understood and signed – even the cleaning staff. It may sound harsh, but you then need to make explicit the importance of data security by making any violation a dismissible offence. Explain to your team why they must never give sensitive information out to anyone unless the proper procedure has been followed. If a third party does need access to data, make sure they receive only the information they need, and that any sensitive data is encrypted, removed or disguised. When transferring information to the National Audit Office, Revenue and Customs made the mistake of sending a lot of information, such as bank details, that the NAO didn’t actually need – all on disks – so this information was exposed to unnecessary risk.
5. Never volunteer more than you are asked Keeping control over what people can access is vital: if someone needs to retrieve sensitive information, the safest choice is to give them a user id and password which enables them to access the system directly. You can then control exactly what information they are able to see and what they can do with it. Similarly, if analysis of data is required, it is better for someone in your organisation to create a report that carries out the analysis, and send this to the third party rather than all the detailed information in the source database. The golden rule is to limit access to data so that people see only the information that they need – never expose sensitive data unless absolutely necessary. No system is ever completely foolproof, but there is no excuse for failing to regularly review and improve your security procedures. Forward thinking organisations will learn from the lessons of HMRC’s mistakes and look upon the upcoming legislation as an opportunity to improve the way they approach data security. So start laying the foundations and plan to for improvements now if you want to be prepared and at the forefront of the changes to come. Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.
