Protect your business

Protect your business

We are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers?

exc-5c5132ee88251bb04d71835d

We are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers? This month alone (Aug 2015) Carphone Warehouse reported a security breach where up to 2.4 million people may have had their names, addresses, dates of birth and bank details made accessible to hackers. In addition, up to 90,000 customers may have had their encrypted credit card data made accessible to hackers also. Included in these numbers are customers of other mobile telephony companies which Carphone Warehouse operates or provides services for.

Also this month, the Information Commissioner’s Office (ICO) issued a fine of £180,000 to The Money Shop, on account of data breaches regarding two servers. One server was stolen from a store in Northern Ireland, where it had been stored in a room without adequate security controls, contrary to company policy. The other server had been lost by a courier firm in transit. Both servers contained sensitive customer information and lacked sufficient encryption. Neither has been recovered. There are other recent examples cited in contemporary media which have garnered international attention concerning dating sites, cycling teams’. The list is not exhaustive.

The loss of face, business and public confidence in such instances can be devastating to your business. The negative connotations associated with your brand can impact heavily, steering faithful and potential clients elsewhere.

The organisations in the press for the wrong reasons, receive this attention as they are in the public eye and the public engage with them on a regular basis by using their services. However, there are other organisations which are breached regularly, yet receive very little column inches.

In the four quarters of 2014/2015, the NHS/Health Services reported 747 instances of data breaches. The highest by some figure of organisations that have reported such breaches to the ICO. Yet very few, if any such breaches have been reported in the national media considering that personal medical records may have been made available to hackers. However, these instances do not solely affect large organisations.

For example, the local flower store with an owner/manager and three or four members of casual staff who have not been vetted, located in an affluent area who input customer names, addresses, phone numbWe are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers?

As well as the moral component associated with protecting your customers’ data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.

Principle 7 of the DPA

The ICO provides Principle 7 as dealing specifically with security. In brief the following is applied to information security:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Specific controls are not stipulated by Principle 7, as necessary processes will differ from firm to firm and are dependent on the type of information held. A large multinational with country-specific servers will have very detailed controls in place to administer their information security to that of the charity which stores all its information in hardcopy in a locked filing cabinet in a locked room with access by designated persons.

However, the risk assessments made to determine these controls will be of a similar doctrine to both the large and small organisation, in order to reach the necessary conclusions.

In the UK, regarding information security, the ICO requires that an organisation, as a minimum, takes into account the following factors in order to formulate controls:

  • The nature and extent of your organisation?s premises and computer systems;

  • The number of staff you have;

  • The extent of their access to the personal data; and

  • Personal data held or used by a third party on your behalf

The threats to an organisation’s information security can come from within, from slack procedures to wilful abuse. Threats from outside of the company will usually exploit vulnerabilities in your IT systems, circumnavigating firewalls, utilising unprotected ports, malware etc. If your business is doing everything in its ability regarding cost reasoning, risk analysis methods that are current and suitable for your organisation, documented processes and procedures which are adhered to by staff, you just may run less of a risk of receiving a fine from the ICO should the worst happen and your information systems are hacked.

All things being said, the non-monetary consequences of your customer’s information being accessible to hackers has far more business penalties than any fine. Be pragmatic, utilise specialist advice where necessary and have an information policy that is understood by your employees. In effect, do all you can to minimise the risk to your clients regarding the safekeeping of their sensitive information. ers on computers lacking any form of encryption presents a series of information security risks. Chances are, such a situation may never see the light of day via any report yet, may prove catastrophic for customers.
As well as the moral component associated with protecting your customer’s data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Scroll to Top