IT Security News Quarterly Update - Summer 2020

Following on from our spring quarterly IT Security update, which delved into general security issues around remote working, in this issue Jamie looks at the value of your business data.

Data security is vital for any business as the data you hold is one of your most important assets. Having the appropriate technical and organisational measures in place to mitigate any data security risks is a priority, even more so whilst your staff continue to work flexibly or work from home.

The value of data (A worrying thought!)

The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 and with maximum fines for some infringements set at €20 million Euros or 4% of annual global turnover, (whichever is greater), the price on personal data has never been so high. Unfortunately, hackers also know this and are always looking for ways to exploit you and your business.

Without going over all the intricacies of GDPR law, let me bring a few of the more relevant points to your attention.

The vast majority of GDPR fines have related to violations of articles 5, 6 and 32. For the purposes of this article, I’ve cut these down into the bullet points below and have removed anything that’s irrelevant, so we are left with the following summary points for each one:

  • Article 5 (data processing principles) states that personal data must be:
    • Processed in a manner that ensures appropriate security.
  • Article 6 (lawfulness of processing) states that personal data can only be processed:
    • To protect the data subject’s vital interests.
  • Article 32 (security of processing):
    • Requires data controllers and processors to implement “appropriate technical and organisational measures” to secure the personal data they process.

For this update, I want to focus specifically on Article 32 and the use of “appropriate technical and organisational measures” to secure the personal data businesses process. Therefore, let’s assume a hacker gains access to a company’s IT network and steals some of their business data. Consider the scenario:

The hackers gained access via a user called Steve Smith (apologies to any Steve Smiths out there!). Steve works for a relatively small business, Fictitious Limited, with 15 other users. Most of the users work from home at least twice a week and even more so in the current situation! IT security and data security aren’t really an issue here because everyone in the company is trusted and has worked here for many years. All the folders on the network, for example, can be accessed by everyone (except those for Finance and HR). The company has a central database that holds personal information on thousands of their clients. However, Steve never ever goes into the database. He doesn’t need it. Steve isn’t a huge fan of IT. Steve has a password of ‘Password’. When he is working from home, he accesses the corporate network via something called a PPTP VPN. All users use this VPN and have done for as long as they can remember.

So, we’ve painted our picture. However, Fictitious Limited is about to have a BIG problem…

A cyber-attacker gained access last night via the PPTP VPN using Steve’s nice secure password of Password. They subsequently downloaded the entire database from their server to their own computer. Steve gets an e-mail from the hacker with some screenshots of information in the database, requesting a large payment otherwise the attacker will release that entire database to the internet. Blackmail!

 With the GDPR fines having been so big recently and the value of data been so high, based on the company size and what they do, the hacker is asking for £10,000.

Fictitious Ltd get their IT Department to carry out an investigation who confirm a cyber-criminal has had access and that the screenshots appear to be authentic. At this point there is no good outcome for the company. The financial cost to them is going to be big whichever avenue they take here (regardless of any potential GDPR fines). They can either pay the blackmail fee and risk the attacker coming back for more or releasing the database anyway. Or, they report it to the ICO and alert all their customers to the breach – which, because of the sensitive data involved, will damage the business and their reputation considerably. Their customer trust will be damaged, and some may choose to leave completely. Additionally, the ICO will also want to know what technical and organisational measures the company had taken to secure the personal data they possessed… and so it makes for bleak reading.

As a company’s data is likely to be one of its most important operational assets, all organisations should take action to ensure that theirs remains protected and secure. With that in mind, let’s review the following points:

  1. Security isn’t really an issue there because everyone in the company is trusted and has worked here for many years. All the folders on the network for example can be accessed by everyone (except those for Finance and HR).
    - Security is ALWAYS an issue and it’s nothing to do with trust. It’s about limiting exposure. Staff should only have access to items on the network that they require to be able to do their job. Anything more and you aren’t showing trust, you are just compromising your security.
  2. The company has a central database that holds personal information on thousands of their clients. Steve never ever goes into the database. He doesn’t need it.
    - Case and point. If Steve didn’t need access to the database, why was the hacker able to get to it when logged in as him? Steve should never have had access in the first place.
  3. Steve isn’t a huge fan of IT. Steve has a password of ‘Password’.
     - Oops! Thanks to the fact that Steve isn’t a huge fan of IT, this somehow equates to him using Password as a password to being okay. Fictitious Ltd should have put a password policy in place but as everyone is trusted, they didn’t need too, right? Wrong. A password policy should always be established that meets specific length and character guidelines. Without proper guidelines, staff will use weak passwords.
  4. When he is working from home, he accesses the corporate network via something called a PPTP VPN. All users use this VPN and have done for as long as they can remember.
    - PPTP VPN’s were first introduced in 1995 and are relatively unchanged. They are littered with security issues and should be avoided. If you are worried about your IT security at all especially whilst your staff work from home, I would discourage using a PPTP VPN.

The moral to this scenario is, I promise you, that prevention is better than cure. Put in place robust IT security to protect your data as well as your company and customers.

If you would like any further information or advice on data security for your business or any other IT security issues around remote working, please don’t hesitate to contact me at security@ntsols.com.