Part two: Preventing Breaches, Access Control and Network Security
When evaluating your organisation’s cyber security, it is important you look at all aspects of your IT infrastructure. A good way of making sure you address all potential issues is to map each person’s role and how they interact with your network, customers and data.
I’ll use ‘Company A’ from my previous post:
‘Company A’ has three departments; Sales, Accounts and Warehouse. All three access the customer data in some shape or form. The Data Protection Officer starts by reviewing each role and how they access and use various parts of their IT infrastructure and data.
|PCs||Each staff member has their own PC with a password protected profile||Each staff member has their own PC with a password protected profile||Each staff member has their own PC with a password protected profile||Implement password policy to include regular password update|
|Printer||Staff members do not print personal data||Only staff members within this department has access to this printer and confidential waste is destroyed securely||Only staff members within this department has access to this printer and confidential waste is destroyed securely|
|Telephone||Wi-Fi is shared throughout the building and is shared with guests||Create a second guest access which is restricted to a separate subnet. This will provide an isolated network which can still access the internet.|
|Network||This department uses the same 192.168.1.x network||Provide a separate subnet for the Accounts department, which will isolate the data they hold from the rest of the company.|
|Shared Drive / NAS||No Shared Drive||Staff has access to a password protected NAS||No Shared Drive|
|Bring Your Own Device (BYOD)||Staff have access to their emails on their smart phones. Staff connect to the Wi-Fi when in the office||Ensure anti-virus software is installed on every device. See note 1 below for additional advice.|
|Removable Media||Staff in this department uses USB drives to transfer large sales datasets||No removable media used||No removable media used||Scan removable media regularly and avoid connecting third party devices.|
|Server Access (via terminal or PC)||No access|
|Server Access (physical)||Server is stored within this department||Consider securing the server in a locked room or cabinet.|
Note 1. – It is advised that you have a BYOD policy in your Employee Handbook. This is to ensure understanding of each individual’s responsibilities if they choose to use their own device. Also consider data Protection/GDPR implications where remote monitoring software is used (like cloud based antivirus which allows you to scan a device).
One of the main security vulnerabilities within any network is human error. The main human error which can affect many businesses is password integrity (or the lack thereof). Many people use the same password for multiple services or use personal details which can be found on social media.
One suggestion is to use three or four random words strung together, e.g. christmasdoorfrog.
Also, change passwords regularly. Keeping the same password for too long increases the chance of someone guessing it.
Most software allows you to restrict what a user can access or do. By implementing this you can tailor access and privileges to the user’s role and requirements. You can also prevent users from installing software on their PC by using the UAC feature in the Windows Operating System.
When disposing of equipment, it is advised that if it has any kind of memory or hard drive (NAS, PC, laptops, etc) that you dispose of it securely. Many services will provide this and supply you with a certificate of destruction.
In the next part of this series of articles, I will look at emerging technologies and their implications on GDPR and Data Protection.
By Gareth Hopkins
If you don't have Microsoft Office, or Microsoft Word installed on your PC or Mac, don't worry - you can still use our products. You can get a free alternative from Open Office.
Open Office Org is open-source developed alternative to Microsoft Office, developed by a large software company called Oracle. Open Source means the company who build the software, allow 100% use of it, 100% free.
Since Open Office is specifically developed to be exactly the same as Microsoft Office, with all the same programs in the suite (Eg: Word, Excel, Access and Power Point) - it will freely open any Microsoft Office file-format. Meaning, just because a document was written in Microsoft Word, doesn't mean it can't be opened in another program. Open Office will do that, and vise versa.
To download and install Open Office;