by Ricky Kelly, Partner at Ronan Daly Jermyn
Not all companies are lucky enough to have ISO27001 accreditation, but all companies are capable of acting like they do. Since the outbreak of Covid-19, your IT department are either now seen as heroes or villains but, in either case, are working extremely hard at keeping systems operational in reversal of what is the norm. It is sometimes difficult to see the wood for the trees when systems and normal ways of work are being challenged at pace. Along with the normal and often invisible workings of an IT department needing to be fulfilled, there is a new risk with entire work populations working from home. Below are five key technology and security considerations for your business and IT operations.
- Humans are your weakest link – Implement and measure security awareness training
Reputation damage, increased cost and financial loss are all symptoms of successful Cyber and Data Breaches. Breaches also increase demand on what are now already threadbare IT and Management personnel. The National Cyber Security Centre reports that 90% of all breaches are caused by staff error through clicking on email links. This can be simply remedied by appropriate and focused staff training. It is essential that that training extends to all personnel with senior management and executives being the focus of more targeted phishing and business email compromise attacks. Now is the time to have staff take security awareness training, which can be easily run remotely, if they have not already done so. Under Data Protection Laws organisations must be in a position to demonstrate their compliance. One way of achieving this is by undertaking staff training, measuring the success of that training and accompanying it with ongoing simulated Phishing attacks. Where staff, notwithstanding having completed their training, continue to be socially engineered they should be identified for additional training and, where necessary, restrictions placed on their access.
- Know your “version of the truth”
It is now believed that attackers can go unnoticed on your systems for over 190 days before being discovered. Data Protection Law requires that organisations implement appropriate technical measures which includes measures that allow for the identification of system weaknesses and breaches as soon as they arise. With most, if not all, of your computer assets now having moved outside your traditional building setting, understanding exactly what your asset database is, and knowing what your “version of the truth” is, becomes essential. This version of the truth should be measured against Microsoft patching numbers, antivirus updates, MFA reports, encryption reports, asset assignment reports, et cetera. What’s measured is controlled. Balancing the version of truth across all of these essential items should be demanded by business leaders from their IT departments. - Create detailed traffic flow reports
Understanding what is normal traffic is also key right now across all your data lines. Daily detailed reports on traffic flow, in and out of your network, will allow you to build a view on exactly what normal is and therefore identify any unusual or threat activity. Businesses internet lines have become the main entry and exit point of your data and good reporting from your firewall or VPN service will show the most important and heavily used data type in your company. Deal quickly with removing non business or network congesting traffic. - Time to think digital transformation
Traditionally project freezes come into play in times like this of much flux. Where there is little certainty on how long this crisis will last we must treat our current situation as the new normal. Well-managed fast-track security projects should continue with risk-based meetings driving positive brainstorming around “what if” situations. Do not waste the great opportunity for positive digital change during this crisis. Two key concepts and requirements of Data Protection law for future project planning are the implementation of data protection by design and data protection by default. Data Protection by design requires that data privacy features and enhancing technologies be embedded into the design of projects from an early stage. Data Protection by default on the other hand requires that default user settings be data protection friendly and that only data which is necessary for the specific purpose be gathered. Where the type of processing envisaged is likely to result in a high risk to the rights and freedoms of natural persons, including non-data protection rights, organisations are required to undertake an assessment of the impact. This is done by way of a Data Protection Impact Assessment. Where an organisation implements a new process or technology, which ultimately results in a data breach, one of the first requests from the Data Protection Commission will be for a copy of your DPIA.
- Be kind
Your IT department are used to stressful situations, putting out fires and being contacted by people at the end of their tether after trying numerous ways to solve their problem. This is normal. Today they are providing technical help to large volumes of employees working remotely for the first time, sometimes with stressful home office situations that can exaggerate all issues. Be kind to your IT team. Their life has got far crazier. More haste, less speed: the key to avoidable errors.
About the author
Ricky’s core areas of practice are Dispute Resolution, Cyber and Data Protection, and Insolvency related litigation. He has broad experience advising a range of foreign, national, multi-national and institutional clients in complex and high value cases in the Corporate, Debt Recovery, Insolvency and Restructuring, Insurance and Professional Risk, and Construction sectors.
Ricky co-leads RDJ’s Cyber and Data Protection Group. His experience includes the provision of advice and compliance training to a range of private and public organisations in relation to their implementation and compliance with the General Data Protection Regulation and Data Protection Act 2018.