No one is immune to the risk of data theft from computers, and it is a growing concern for most businesses that hold a significant amount of sensitive client data, such as accountancy practices.
With advances in technology, organisations are able to process more and more personal data – and to share it more easily. This brings many benefits, but also presents new security challenges. Several high-profile data breaches have kept information security firmly under the media spotlight, including the recent Talk Talk case in which almost 157,000 customers had their personal details hacked.
Security breaches can cause disruption to your business processes, harm to your clients, and stress for everyone involved. They can ruin the relationship of trust you have built up with your clients and, in extreme cases, can even put lives at risk.
Most individuals and businesses are now well aware of the basics of protecting laptops and desktop computers, but the nature of security threats are constantly changing and protection requires a flexible, multi-pronged, risk-based approach.
Smartphones present another dimension: while we are putting an increasing amount of personal data into our phones, such as our physical location and passwords, many of us lag behind in our awareness of the potential security risks involved in doing this. Smartphone theft or malware could allow access to email accounts (and therefore potentially sensitive client data), social media profiles, and information about which websites you have looked at or the locations you have visited.
Legal and ethical considerations
Legally, the Data Protection Act requires businesses to put in place appropriate security measures to prevent the personal data they hold being accidentally or deliberately compromised. Businesses need to notify the Information Commissioner's Office (ICO) if a ‘personal data breach’ occurs, and let their customers know if that breach is likely to adversely affect their privacy.
There is no single “one size fits all” solution when it comes to information security. Consider how valuable, confidential or sensitive the data is that you hold, and assess the risks to that data – and the potential damage or distress that could result from a security breach. Look at all the processes involved in collecting, storing, using and disposing of personal data so that you can identify the main vulnerabilities, and you will start to get a clearer perspective on the type and breadth of security measures that are right for your business.
If you go to reasonable, or better still extraordinary, lengths to secure your devices and protect your clients' data, you will sleep easier knowing you should not be vulnerable – and that you are doing the right thing by your clients.
Key steps to protect your devices
Protect devices with secure passwords and screen lock
Always choose a strong password, which includes a mix of letters, numbers and special characters; change it regularly; and lock your screen when you walk away from your computer, particularly if you are in a public place. As a safety net, set your computer to lock the screen whenever it is idle for three minutes. On smartphones and tablets use a good, strong screen lock password. On Android, avoid pattern locks and "Face Unlock", which can easily be hacked.
Since most of us use passwords for many different websites and apps, it is tempting to use the same one over and over again. This poses a significant security risk. Password services such as 1Password can be helpful: this straightforward app locks up all your passwords in one place, where no one except you can reach them – and you only need to remember one password to access them all.
Encrypt hard drives
You may be under the illusion that sticking a password on your computer is all it takes to keep out prying eyes. If you haven’t also encrypted your hard drive, however, and someone then gets their hands on your desktop or laptop, they could easily whip out the hard drive in minutes, put it in another machine, and gain access to everything on it – including any sensitive data about your clients.
On a new PC running Enterprise or Ultimate versions of Windows 7 or 8 you can use Microsoft’s Bitlocker solution, or there are others available. On Mac, Apple’s FileVault application will encrypt your hard drive, but remember that it is turned off by default, so you will need to switch it on. These solutions will protect your data even if the thief removes your hard drive from your laptop and accesses it directly.
Install anti-virus software on all devices
You should have anti-virus software installed on your devices to detect threats and hopefully protect them against harm. Keep this software up-to-date, and beware of free software – opt instead for well-established, widely trusted brands such as Bitdefender, Kapersky, Webroot, McAfee and Norton. This relatively small, ongoing investment is well worth every penny.
Consider downloading a mobile anti-virus package for your smartphone, too, such as Lookout or AVG Antivirus. Most offer basic versions for free that include virus scanning.
If you use your smartphone a lot for business, and it holds the key to important client data, look into remote tracking, remote wipe and remote lock. Google and Apple provide all of these through Android and iOS. If you do mislay your device you can immediately lock it remotely to prevent prying eyes; if you lose your device you can "remote wipe", to remove every bit of sensitive data. Alternatively you can use a paid service such as Lookout which can also help protect devices against malicious malware and spyware.
Never download non-regulated or pirated software
Apps provide the easiest means for hackers to gain access to your phone data. Some smartphones are more vulnerable than others. Apple’s iPhone is generally regarded as secure thanks to its ‘sandbox’ configuration, which stops applications from communicating with the phone, while Blackberry devices use encryption software to protect data. Android phones, on the other hand, have more in common with PC operating system structures and tend to be an easier target for hackers and malware, with some reports claiming that 99% of malware targets Android devices.
Perhaps the most important way to protect yourself is to only ever download apps from official app stores: Apple’s App Store, or Google Play. A large proportion of phone malware originates from pirated software where hackers take a popular app, add on their own malicious code, then lure people in by offering it for free. Even when you are browsing apps on the official Google Play store, always scan through the user reviews before downloading anything. An app that is regularly receiving one-star reviews, or has only been downloaded a handful of times, is one to steer well clear of.
iPhones need to be "Jailbroken" in order for malware to be installed. Jailbreaking an iPhone (or similarly "rooting" an Android) removes hardware restrictions imposed by the operating system in order to access specific apps or services — but at the same time it also strips away layers of security. To help keep your phone and data secure never jailbreak or root your phone.
Be wary of which sites you provide with personal data
When a website asks for personal data, ask yourself the following before you part with any sensitive information:
- Is it a well-established site that you trust?
- Does the URL start with "https" rather than just "http"? The additional "s" indicates that the site is secure and that your data should be well-protected.
Carry out a Google search on the company name if it is not a company you already know and trust. Find contact details on their website and call the number given to confirm their identity.
Be aware of the latest scams and phishing attacks
There are also dangers involved in people trying to get hold of personal data by deception. They may pretend to be the person whom the information is about, for example, or launch a “phishing” attack.
In October of this year, a criminal ring stole 1,600 records from an accountant in the Australian city of Melbourne in attacks relating to a phishing campaign launched against users of Xero accountancy software. A phishing attack could arrive via text or email, usually asking you to follow a link and enter personal data and/or credit card details. Often these messages are cleverly designed to appear to be from a legitimate source such as your bank, perhaps incorporating a clone of the company's logo and other familiar details. This is designed to dupe you into trusting them with your personal data.
Whenever you are unexpectedly asked to hand over personal data, be wary – really scrutinise the message you have received and call the company or bank if you are at all suspicious. The same goes if you are contacted by phone and asked to provide personal information or install software – these scams are widespread, and the more you try to stay up-to-date with news of the latest tricks, the more likely you are to recognise the signs.
Watch out for strange behaviour on your device
Don't ignore any odd behaviour on your device. If the cursor moves without your input, or your microphone or webcam light comes on unexpectedly, this should set alarm bells ringing. Someone could be spying on you. If you receive an unusually high data bill at the end of the month with no discernible reason for it, this could be evidence of deceptive data transfer.
On your smartphone, odd behaviour could include the backlight illuminating or your phone connecting to the internet for no obvious reason. Spy applications also tend to use a lot of bandwidth as they upload logs to a remote server, so use a data monitoring app to monitor your bandwidth usage and check your app list to spot any apps you don’t recognise – and uninstall them if you are in any doubt.
Be aware of the risks associated with shared folders
If you have set up shared folders on a laptop to facilitate data sharing with colleagues, bear in mind that if you then use that laptop elsewhere, in a public place with Wifi such as a café or hotel, you may be sharing it with a far wider audience than you'd initially intended.
Switch off Bluetooth when you don't need it
If you’re not using your Bluetooth connection, switch it off. This makes your phone less vulnerable to attack and has the added bonus of extending your phone’s battery life.
Strengthen physical security measures, too
Alongside technical security measures, you also need to consider the physical security of your devices. Plenty of security breaches are the result of theft or loss of equipment.
"Snatch and run" gadget theft is very common. You only need to be distracted for a few seconds and your phone, tablet or laptop could be taken. According to the technology research firm Gartner, a laptop is stolen every 53 seconds. When it comes to mobiles, Metropolitan Police figures reveal that the vast majority of thefts occur in bars, pubs or clubs (30%) or on public transport (38%), with thieves also striking at places of work (19%), in the street (6%) and elsewhere (8%).
Most laptops – and many other items of electronics equipment – incorporate a small, metal-reinforced hole known as a Kensington Security Slot. This lets you install a Kensington lock, which helps to protect your device from opportunist theft – particularly useful if you are using your laptop in public places.
You also need to think about the security of your business premises, including the quality of the locks, windows, doors, alarm systems, CCTV, and security lighting. Consider how people get access to the premises, and what system is in place for supervising visitors. Desk top computers should be positioned carefully so that they can't be viewed by casual passers-by, and old computers / hard drives need to be physically destroyed – never sold on, even after formatting.
You should also make regular data back-ups just in case you experience a theft or data breach despite your best efforts to protect your devices. Look out for our next blog covering this topic...